802.1x Stopped Working

AbelBurgos5029 · ‎05-04-2021

Hello everyone,

After months of 802.1x working perfectly in a small wired network, out of the sudden some things are not working properly. Here is what I am working with:

Windows 10 using native supplicant

C9300 24UX version 16.12.3a

ISE 2.6 (latest patch)

EAP-TLS is configured with AD acting as the root CA

Here is the problem: When I log into a machine (any machine) using my admin credentials it works; The ISE logs shows the authentication success, with the correct authorization policy and the switch authorizes the port (sh authentication sessions). If I do the same with any other account that is NOT an admin account then the problem arises. The ISE authenticates successfully, it gives the correct authorization profile and the correct Dacl is downloaded to the switchport. The problem is that the switchport never changes to authorized. It stays unauthorized the entire time and obviously traffic don't flow the way it should.

I did some troubleshooting with no luck. It is weird to me how when an admin account is used the switchport changes from unauthorized to authorized, but when a regular domain user account is used the switchport does not changes from unauthorized to authorized. At first I thought maybe CoA but if that was the case it wouldn't work with the admin account either. Right?

Any ideas on how should I look for? Any help will be highly appreciated.

Thanks

MHM Cisco World · ‎05-04-2021

can we see the interface config ?

AbelBurgos5029 · ‎05-04-2021

Hello,

It is an air gapped network but here is what I have configured in the interfaces:

switchport access vlan 100
switchport mode access
ip access-group PRE-AUTH in
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
dot1x pae authenticator
end

balaji.bandi · ‎05-05-2021

That is VLAN configuration, how about Physical port configuration :

Also post below output when the user authenticate

sho access-session int Gi x/x  details

also in VLAN config "ip access-group PRE-AUTH in" what is this content ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AbelBurgos5029 · ‎05-05-2021

Hello,

Those are the physical port configs. There are more lines in the config but those are the ones related to the Dot1x.

The PRE-AUTH ACL has entries allowing the workstation to communicate with the domain controller, DNS, DHCP, TFTP and things like that.

Here is the output of when an admin user account is being used

sho access-session int Gi x/x  details

Interface: TenGigabit2/0/13

IIF-ID:________

Mac Address: ________

IPv6: ________

IPv4: 192.168.100.x

username: "my admin username.domain"

status: authorized

domain: Data

Oper host-mode: Single-host

Oper control dir: both

session timeout: 3600s

time out action: reauthenticate

common session ID: ________

Account session ID: Unknown

handle: ________

Current Policy: Policy_T2/0/13

ACS-ACL: xACSACLx_Domain_Admins_5eb95790

Here is the output when I use a regular domain user account:

sho access-session int Gi x/x details:

Interface: TenGigabit2/0/13

IIF-ID:________

Mac Address: ________

IPv6: ________

IPv4: 192.168.100.x

username: "domain username.domain"

status: Unauthorized

domain: Data

Oper host-mode: Single-host

Oper control dir: both

session timeout: 3600s

time out action: reauthenticate

common session ID: ________

Account session ID: Unknown

handle: ________

Current Policy: Policy_T2/0/13

ACS-ACL: xACSACLx_Domain_Users_5eb95850

Note how the only thing that is different is the status. Everything else works perfectly. When I look at the ISE logs, all the authentication and authorization process passes, the correct authorization profile is selected and the correct Dacl is sent to the switchport.

Thanks

MHM Cisco World · ‎05-06-2021

show session authentication detail,

can you share this ?

AbelBurgos5029 · ‎05-07-2021

Hello,

Did you mean #Sh authentication Sessions detail?

I will post the output once I have access to it again as it is air gapped network. Please hang tight I will post again Monday.

Thanks

AbelBurgos5029 · ‎05-17-2021

Hello,

Below is the output of the command. As you can see the ports shows "unauthorized" even tho it is passing the Authentication and Authorization in the ISE.



sho access-session int Gi x/x  details

Interface: TenGigabit2/0/13

IIF-ID:________

Mac Address: ________

IPv6: ________

IPv4: 192.168.100.x

username: "my admin username.domain"

status: authorized

domain: Data

Oper host-mode: Single-host

Oper control dir: both

session timeout: 3600s

time out action: reauthenticate

common session ID: ________

Account session ID: Unknown

handle: ________

Current Policy: Policy_T2/0/13

ACS-ACL: xACSACLx_Domain_Admins_5eb95790

Here is the output when I use a regular domain user account:

sho access-session int Gi x/x details:

Interface: TenGigabit2/0/13

IIF-ID:________

Mac Address: ________

IPv6: ________

IPv4: 192.168.100.x

username: "domain username.domain"

status: Unauthorized

domain: Data

Oper host-mode: Single-host

Oper control dir: both

session timeout: 3600s

time out action: reauthenticate

common session ID: ________

Account session ID: Unknown

handle: ________

Current Policy: Policy_T2/0/13

ACS-ACL: xACSACLx_Domain_Users_5eb95850