05-04-2021 02:18 PM
Hello everyone,
After months of 802.1x working perfectly in a small wired network, out of the sudden some things are not working properly. Here is what I am working with:
Windows 10 using native supplicant
C9300 24UX version 16.12.3a
ISE 2.6 (latest patch)
EAP-TLS is configured with AD acting as the root CA
Here is the problem: When I log into a machine (any machine) using my admin credentials it works; The ISE logs shows the authentication success, with the correct authorization policy and the switch authorizes the port (sh authentication sessions). If I do the same with any other account that is NOT an admin account then the problem arises. The ISE authenticates successfully, it gives the correct authorization profile and the correct Dacl is downloaded to the switchport. The problem is that the switchport never changes to authorized. It stays unauthorized the entire time and obviously traffic don't flow the way it should.
I did some troubleshooting with no luck. It is weird to me how when an admin account is used the switchport changes from unauthorized to authorized, but when a regular domain user account is used the switchport does not changes from unauthorized to authorized. At first I thought maybe CoA but if that was the case it wouldn't work with the admin account either. Right?
Any ideas on how should I look for? Any help will be highly appreciated.
Thanks
05-04-2021 04:11 PM
can we see the interface config ?
05-04-2021 04:48 PM
Hello,
It is an air gapped network but here is what I have configured in the interfaces:
switchport access vlan 100
switchport mode access
ip access-group PRE-AUTH in
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
dot1x pae authenticator
end
05-05-2021 03:27 AM
That is VLAN configuration, how about Physical port configuration :
Also post below output when the user authenticate
sho access-session int Gi x/x details
also in VLAN config "ip access-group PRE-AUTH in" what is this content ?
05-05-2021 05:38 AM - edited 05-05-2021 05:40 AM
Hello,
Those are the physical port configs. There are more lines in the config but those are the ones related to the Dot1x.
The PRE-AUTH ACL has entries allowing the workstation to communicate with the domain controller, DNS, DHCP, TFTP and things like that.
Here is the output of when an admin user account is being used
sho access-session int Gi x/x details
Interface: TenGigabit2/0/13
IIF-ID:________
Mac Address: ________
IPv6: ________
IPv4: 192.168.100.x
username: "my admin username.domain"
status: authorized
domain: Data
Oper host-mode: Single-host
Oper control dir: both
session timeout: 3600s
time out action: reauthenticate
common session ID: ________
Account session ID: Unknown
handle: ________
Current Policy: Policy_T2/0/13
ACS-ACL: xACSACLx_Domain_Admins_5eb95790
Here is the output when I use a regular domain user account:
sho access-session int Gi x/x details:
Interface: TenGigabit2/0/13
IIF-ID:________
Mac Address: ________
IPv6: ________
IPv4: 192.168.100.x
username: "domain username.domain"
status: Unauthorized
domain: Data
Oper host-mode: Single-host
Oper control dir: both
session timeout: 3600s
time out action: reauthenticate
common session ID: ________
Account session ID: Unknown
handle: ________
Current Policy: Policy_T2/0/13
ACS-ACL: xACSACLx_Domain_Users_5eb95850
Note how the only thing that is different is the status. Everything else works perfectly. When I look at the ISE logs, all the authentication and authorization process passes, the correct authorization profile is selected and the correct Dacl is sent to the switchport.
Thanks
05-06-2021 07:04 PM
show session authentication detail,
can you share this ?
05-07-2021 05:19 AM
Hello,
Did you mean #Sh authentication Sessions detail?
I will post the output once I have access to it again as it is air gapped network. Please hang tight I will post again Monday.
Thanks
05-17-2021 05:16 AM
Hello,
Below is the output of the command. As you can see the ports shows "unauthorized" even tho it is passing the Authentication and Authorization in the ISE.
sho access-session int Gi x/x details
Interface: TenGigabit2/0/13
IIF-ID:________
Mac Address: ________
IPv6: ________
IPv4: 192.168.100.x
username: "my admin username.domain"
status: authorized
domain: Data
Oper host-mode: Single-host
Oper control dir: both
session timeout: 3600s
time out action: reauthenticate
common session ID: ________
Account session ID: Unknown
handle: ________
Current Policy: Policy_T2/0/13
ACS-ACL: xACSACLx_Domain_Admins_5eb95790
Here is the output when I use a regular domain user account:
sho access-session int Gi x/x details:
Interface: TenGigabit2/0/13
IIF-ID:________
Mac Address: ________
IPv6: ________
IPv4: 192.168.100.x
username: "domain username.domain"
status: Unauthorized
domain: Data
Oper host-mode: Single-host
Oper control dir: both
session timeout: 3600s
time out action: reauthenticate
common session ID: ________
Account session ID: Unknown
handle: ________
Current Policy: Policy_T2/0/13
ACS-ACL: xACSACLx_Domain_Users_5eb95850
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide