ISE authenticate and authorise successfully users



SWITCH CONFIG


aaa new-model
!
!
aaa group server radius ise-group
server name ise-1
server name ise-2
ip radius source-interface Vlan20
!
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client *.*.*.* server-key 7 **************************
client *.*.*.* server-key 7 **************************
!
aaa session-id common

!
!
!
!
no ip source-route
!
!
ip flow-cache timeout active 1
ip domain-name ***************
ip device tracking probe auto-source override

ip http server
ip http authentication local
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
!
ip access-list extended ACL-ALLOW
permit ip any any
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
deny ip any any
ip radius source-interface Vlan20
!
!
snmp-server community *** RO
no snmp mib flash cache
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
radius server ise-1
address ipv4 *********** auth-port 1812 acct-port 1813
automate-tester username ******* idle-time 15
key 7 **************************
!
radius server ise-2
address ipv4 ************* auth-port 1812 acct-port 1813
automate-tester username ******* idle-time 15
key 7 **************************


PORT CONFIG

interface GigabitEthernet1/0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 10
ip access-group ACL-ALLOW in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

@Magolinya Are you sure the user with the problem was successfully authenticated?

 

If you are only doing user authentication, then the computer will not get an IP address from DHCP until they have been authenticated and authorised by ISE. Once they have been authenticated and authorised by ISE your interface ACL - ACL-ALLOW would be applied. Generally during authorisation you'd push down a DACL to give full access, this DACL would override the interface ACL for that session.

 

DACL reference

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html

 

The user only fails when its first-time login in PC, But when I removed the
ISE config from the switch port user is authenticated using domain and get
access into PC after that when I return ISE config on the switch port user
is prompted by cisco anyconnect to enter credentials and the user will then
be authenticated and authorised successfully.

In authorisation, I have DACL which give full access

We only use ISE for authentication and authorisation.

So my only issue here is can PC get IP address before authentication so
that there is communication between PC and ISE

Or how can I configure ISE so that a new user can be authenticated and
authorised in during first time login as new USER

There could be a few factors to the issues you are seeing.

Based on the switch configuration you shared, you are likely using a platform/software version that has a default of 'Closed' authentication mode. This means that the switchport will not accept any traffic except EAP prior to successful authentication/authorisation, regardless of the pre-auth ACL on the switchport. You would need to use both computer and user auth so that a successful computer auth would allow DHCP traffic. You could also enable 'Open' authentication on the switchport and move to a 'Low-Impact Mode' deployment model.

See the ISE Secure Wired Access Prescriptive Deployment Guide for more information and guidance.

If you are using EAP-TLS, you could also be running into a catch-22 issue with new user logins because they cannot authenticate due to the certificate not being enrolled yet, and cannot enroll the certificate because they don't have network access. See this community post with a related discussion.