NEAT with Interface Template question and authentication issue

jayage · ‎11-01-2018

Hi guys,

I am currently struggling with authentication of an IE switch and the implementation of interface templates..

We're using .1X on all of our access ports with static port configuration including auth hostmode multi-domain as we use Cisco phones and want to allow only one device behind the phone. At our branches 3650s with 16.3.6 or newer are widely deployed. An ISE cluster is hosted in version 2.4 patch 2.

We recently started a new project at some of our production sites. They want to connect Cisco industry switches (IE-1000 and IE-2000 series with some machines and sensors etc. linked) without our interaction, without having someone changing the authenticators' switch port. They easily want to link them and want to have it working whenever they need it.

At the moment we use access vlan X and voice vlan Y on our standard ports but the IE switches (or at least the devices connected to it) should land in vlan Z. I tried to use NEAT to change the port from mode access to trunk but at the moment the industry switch having for testing (IE-2000-8TC-G-B version 15.2(4)EA5) doesn't even authenticate. I can't find any radius session on ISE either. Tried to auth the IE switch with different port configurations.

At the beginning I started with trunk on both sides, then trunk on supplicant side with native vlan Z and mode access with access vlan Z on authenticator side. Also tried mode access with vlan Z on both sides. As long as authentication open is set I can reach the IE switch but it never authenticates. I use eap-fast with an ISE internal user. MD5 is per security policy not allowed.

Then, next problem I see is changing the host-mode (multi-auth) as the authenticator port would go down as soon as several MACs are seen behind the IE.

I thought I could make this working with an interface template but unfortunately I didn't find an option to change the authentication host-mode to multi-host on the authenticators access ports. Is there another way to do this or do you maybe suggest another solution?

Supplicant config

ip radius source-interface vlan Z

eap profile eap-fast
method fast

dot1x system-auth-control
dot1x credentials lab-switch
username user
password pw
!
dot1x supplicant force-multicast

intface Gi1/2

switchport mode trunk

dot1x pae supplicant
dot1x credentials lab-switch
dot1x supplicant eap profile eap-fast

Default authenticator port config is:

description Default-Port
switchport access vlan X
switchport mode access
switchport nonegotiate
switchport voice vlan Y
device-tracking
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

Btw the authenticator spams very frequently session fail messages showing different MACs (D141 is the one of SVI Z / D102 of the supplicant uplink port):

Nov 1 10:39:42.030: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FC.D102) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024BFCEDB75BF
Nov 1 10:39:43.002: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FC.D141) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C0CEDB798E
Nov 1 10:39:50.305: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D102) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C1CEDB9616
Nov 1 10:39:51.028: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D141) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C2CEDB98EA
Nov 1 10:40:20.202: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D102) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C3CEDC0ADF
Nov 1 10:40:21.139: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D141) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C4CEDC0E89
Nov 1 10:40:35.426: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D102) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C5CEDC4657
Nov 1 10:40:36.193: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D141) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C6CEDC4955
Nov 1 10:40:50.187: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D102) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C7CEDC7FFB
Nov 1 10:40:50.239: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (00A3.D1FF.D141) on Interface GigabitEthernet3/0/7 AuditSessionID 0A2429FA000024C8CEDC8035

Authentication status looks like this (no username!):

sh auth ses int g 3/0/7 det
            Interface: GigabitEthernet3/0/7
               IIF-ID: 0x1735EF09
          MAC Address: 00a3.d1ff.d141
         IPv6 Address: Unknown
         IPv4 Address: 172.x.x.240
               Status: Unauthorized
               Domain: UNKNOWN
       Oper host mode: multi-host
     Oper control dir: both
      Session timeout: N/A
    Common Session ID: 0A2429FA000024D8CEDEC845
      Acct Session ID: Unknown
               Handle: 0x98000df7
       Current Policy: POLICY_Gi3/0/7

Any help is greatly appreciated!

Thank you

hslai · ‎11-02-2018

Below are from 3650 Configuration Guide, Cisco IOS XE Denali 16.3.x:

Additionally, this discussion might help Solved: authenticate supplicant switch - Cisco Community

And, Hari's how-to -- NEAT with Interface Template - Cisco Community

jayage · ‎11-06-2018

Does somebody have an idea? Still didn't find a solution yet.