Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8959
Views
0
Helpful
8
Replies

ISE switch port dot1x policy map

Go to solution
Madura Malwatte
Level 4
Level 4

‎04-15-2019 04:28 AM

Would appreciate it if someone could verify the switchport configuration I have for low impact mode. My switch is running denali release. Do you see any issues with the below policy-map and classes? Also what about service-template AUTH_SUCCESS, its empty?

 

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
service-template CRITICAL_AUTH_ACCESS
vlan 100 
!
service-template AUTH_SUCCESS
description Successful authentication
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

!
!
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_ACCESS
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template AUTH_SUCCESS
event violation match-all
10 class always do-until-failure
10 restrict

 

on the interface:

dot1x timeout tx-period 10
dot1x max-reauth-req 3

 

I tried to get as much as I could from the Wired Access Prescriptive Deployment Guide and the older one which I can't see to find online any longer. However there are some class config such as:

class-map type control subscriber match-all DOT1X

class-map type control subscriber match-all DOT1X_MEDIUM_PRIO

class-map type control subscriber match-all MAB

class-map type control subscriber match-all DOT1X_TIMEOUT

which are not used in the policy-map (refer to section Configuring and Understanding the IBNS 2.0 Policy in the above link). Are these required?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎04-18-2019 04:04 PM

1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..

       event session-started match-all

         10 class always do-until-failure

         10 authenticate using dot1x retries 2 retry-time 0 priority 10

          20 authenticate using mab priority 20

 

2. 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure..

For Low-Impact mode, you have a pre-auth ACL on interface, so just activating service template for Voice and Data Vlan doesn’t help, you need to have an service template to push “permit ip any any “ ..

 

3. Refer to the below configuration..

 

ip access-list extended IPV4_CRITICAL_AUTH_ACL

permit ip any any

 

service-template DefaultCriticalAccess_SRV_TEMPLATE

access-group IPV4_CRITICAL_AUTH_ACL

 

service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

Vlan 100

 

service-template DefaultCriticalVoice_SRV_TEMPLATE

voice vlan

 

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match authorization-status authorized

match result-type aaa-timeout

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match authorization-status unauthorized

match result-type aaa-timeout

class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL

match authorization-status unauthorized

match result-type success

class-map type control subscriber match-all DOT1X

match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

match result-type method-timeout

class-map type control subscriber match-any IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-all MAB

match method mab

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPL

 

 

policy-map type control subscriber  LowImpact-dot1X_MAB

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

   20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE

   25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE

   30 authorize

   40 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

   20 authorize

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event aaa-available match-all

  10 class IN_CRITICAL_AUTH do-until-failure

   10 clear-session

  20 class NOT_IN_CRITICAL_AUTH do-until-failure

   10 resume reauthentication

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event inactivity-timeout match-all

  10 class always do-until-failure

   10 clear-session

event authentication-success match-all

event violation match-all

  10 class always do-until-failure

   10 restrict

event authorization-failure match-all

  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure

   10 authentication-restart 60

 

I hope this helps.. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Nadav
Level 7
Level 7

‎04-15-2019 05:08 AM

 

 

Hi,

 

You need to have the following global configurations:

dot1x system-auth-control
dot1x critical eapol
aaa group server radius ISE
 server name ISE01
 server name ISE02
 ip radius source-interface Vlan254
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting Identity default start-stop group ISE
aaa accounting update newinfo periodic 2880

Change the source-interface VLAN as necessary. You can also change the group name if you like.

 

As for the interface configurations, you'll need these in addition to what you've shared:

authentication periodic
authentication timer reauthenticate server / authentication timer reauthenticate <seconds>
access-session port-control auto

Any class-maps not used by IBNS are unnecessary. Sometimes there are some class-maps that can't be deleted, if that's the case then they are harmless.

 

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Nadav

‎04-15-2019 07:12 AM

Hi Nadav,

Thanks for the response. I have the rest of the config which should be fine. I was in particular interested in the class-maps and policy-map config.

What about service-template AUTH_SUCCESS, does something need to be configured in it?

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Madura Malwatte

‎04-17-2019 12:07 AM

Well, if you only leave it as a description it won't do anything. Unless you plan on using it for easier readability in debugging. 

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Nadav

‎04-17-2019 01:13 AM

Ok, what needs to go in there? Hence this thread as to what I am missing.
Is there a config example for auth success? I couldnt find anything.
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Madura Malwatte

‎04-17-2019 06:34 AM

I'm not sure why you put it in there to begin with, if you're interested in working according to the prescriptive deployment guide you linked then you should be consistent. 

 

There is an example of a policy-map there for port authentication, it didn't use any such service template. 

The policy-map ended with:

 

event inactivity-timeout match-all
   10 class always do-until-failure
     10 clear-session
 event authentication-success match-all
 event violation match-all
   10 class always do-until-failure
     10 activate service-template 
          DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

You can change the policy-map to suit your needs. No need to add class-maps and service templates you have no intention on using.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Nadav

‎04-17-2019 07:55 AM

The prescriptive guide has that service template under event authentication-success, its called "DEFAULT_LINKSEC_POLICY_SHOULD_SECURE", but there is no details on this service-template. And I could not find any reference on cisco or other documentation what is meant to be configured in this service-template. The comment next to it in the prescriptive just says "with successful authentication, activate service-template with full access". I have a pre-auth acl on my dot1x interfaces and access depends on what type of device has authenticated, where a dACL is pushed down or vlan change is done. Hence why its confusing what the authentication-success and its service-template (DEFAULT_LINKSEC_POLICY_SHOULD_SECURE) is meant to do??

 

The service-template on my config is just called a different name (AUTH_SUCCESS) instead of DEFAULT_LINKSEC_POLICY_SHOULD_SECURE.

0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee

‎04-18-2019 04:04 PM

1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..

       event session-started match-all

         10 class always do-until-failure

         10 authenticate using dot1x retries 2 retry-time 0 priority 10

          20 authenticate using mab priority 20

 

2. 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure..

For Low-Impact mode, you have a pre-auth ACL on interface, so just activating service template for Voice and Data Vlan doesn’t help, you need to have an service template to push “permit ip any any “ ..

 

3. Refer to the below configuration..

 

ip access-list extended IPV4_CRITICAL_AUTH_ACL

permit ip any any

 

service-template DefaultCriticalAccess_SRV_TEMPLATE

access-group IPV4_CRITICAL_AUTH_ACL

 

service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

Vlan 100

 

service-template DefaultCriticalVoice_SRV_TEMPLATE

voice vlan

 

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match authorization-status authorized

match result-type aaa-timeout

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match authorization-status unauthorized

match result-type aaa-timeout

class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL

match authorization-status unauthorized

match result-type success

class-map type control subscriber match-all DOT1X

match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

match result-type method-timeout

class-map type control subscriber match-any IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-all MAB

match method mab

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE

match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPL

 

 

policy-map type control subscriber  LowImpact-dot1X_MAB

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

   20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE

   25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE

   30 authorize

   40 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

   20 authorize

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event aaa-available match-all

  10 class IN_CRITICAL_AUTH do-until-failure

   10 clear-session

  20 class NOT_IN_CRITICAL_AUTH do-until-failure

   10 resume reauthentication

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event inactivity-timeout match-all

  10 class always do-until-failure

   10 clear-session

event authentication-success match-all

event violation match-all

  10 class always do-until-failure

   10 restrict

event authorization-failure match-all

  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure

   10 authentication-restart 60

 

I hope this helps.. 

0 Helpful

Go to solution
franklinb
Level 1
Level 1
In response to mnagired

‎11-05-2019 07:16 PM

@mnagired wrote:

1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..

       event session-started match-all

         10 class always do-until-failure

         10 authenticate using dot1x retries 2 retry-time 0 priority 10

          20 authenticate using mab priority 20

 

This is not correct. We are using ISE 2.4 with IBNS2 policy and have been using concurrent authentication for several years. Most desktop PC's will pass authentication for MAB immediately with dot1x taking a few seconds longer sometimes. Given dot1x has a higher priority it will override the MAB auth.

 

0 Helpful
Customers Also Viewed These Support Documents