Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
2
Helpful
3
Replies

Access-session host-mode multi-domain enforcement issues

Kevin Marcan
Level 4
Level 4

‎03-01-2024 01:07 PM - edited ‎03-01-2024 01:09 PM

Hi Everyone,

         Wanted to see if anyone has observed this design issue I have been noticing.  (Across multiple code trains).  
Most of my testing at this point has been done on 9200 Compact,  but issues seems to be persistent on different hardware.

Goal:  Restrict port to One Workstation, One Phone, using host-mode multi-domain.   
Important to note the Interface is operating in open mode from an ISE authentication perspective

Issue: Enforcement behavior differences between "restrict" and "protect"
Restrict mode does not seem to properly enforce the expected behavior with Access-session host-mode multi-domain

1) Protect works as expected, and is properly enforcing the port to One Workstation, One Phone
protect - silently drop violating packets
2) Restrict mode seems to be operating in a very buggy pattern, and not enforcing (sort of)
restrict - drop violating packets and generate a syslog

To my understanding, both options should do enforcement, restrict mode also providing syslogging on the failure.

 

Details on findings:
On the surface, both modes seem to be doing the same thing.  Here are the similarities (what's working)

1) Both modes restrict allowed authentications to 2 devices.

show access-session interface gigabitEthernet 1/0/8
Security violation caused by 1111.2222.3333: Violation action is (restrict or protect)
Interface                MAC Address    Method  Domain  Status Fg  Session ID
Gi1/0/8                  1111.1111.1111 dot1x   VOICE   Auth        XXXXXXXXX
Gi1/0/8                  2222.2222.2222 mab     DATA    Auth        XXXXXXXXX

2) Both modes limit the mac address table to 2 devices
show mac address-table | include 1/0/8
10   1111.1111.1111     STATIC      Gi1/0/8
13    2222.2222.2222    STATIC      Gi1/0/8

Here is what's not working / buggy? (Restrict mode only)

1) Device-Tracking Database is learning about additional devices

show device-tracking database | inc 1/0/8

ARP 10.10.13.1                                    2222.2222.2222        Gi1/0/8    13         0005       1s         REACHABLE   
DH4 10.10.10.1                                  1111.1111.1111         Gi1/0/8    10         0024       41s        REACHABLE  
DH4 10.10.13.2                                 1111.2222.3333         Gi1/0/8    13         0024       3s         REACHABLE  

Now this is where things get weird
- Running restrict mode, only 2 devices are authenticated
- Only 2 MACs are learned in the MAC address table (matching the authenticated devices
- All 3 devices are still pingable / reachable

What this looks like to me, is while restrict mode is preventing additional devices from showing up in the MAC address table, it is NOT actually dropping traffic as described.  Protect mode does not have the same issue.

 

Any thoughts on this fun one? !

 

3 Replies 3

Ruben Cocheno
Spotlight
Spotlight

‎03-01-2024 02:58 PM

@Kevin Marcan 

yeah

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Arne Bier
VIP
VIP

‎03-03-2024 12:50 PM

@Kevin Marcan - that's interesting - I have not noticed this myself because I tend to shy away from multi-domain (mostly due to misbehaving desktop phones (avaya) that can have buggy FW from time to time - they don't land in the VOICE domain ... and then err-disable the port when PC and phone exceed the allowed MAC in DATA domain). This is in Low-Impact Mode BTW.

You mentioned open mode. Isn't it expected that there is no enforcement in open mode? I hadn't thought about what that means in terms of this MAC address limit though. I could be wrong. 

Is it worth sharing your "show derived-interface XXX" so we can see what is configured ?

0 Helpful

Kevin Marcan
Level 4
Level 4

‎03-03-2024 09:42 PM

Pretty standard config.   Some background is I am essentially looking to replicate what has been previously in place with port-security. 
- Enforce a maximum mac address limit (Port Security)
- Open mode from a ISE Auth perspective. 

Closed mode does technically make restrict work, but at this stage I am hoping to avoid closed mode.
What I do find interesting is the behavior difference between restrict and protect,  that is the part I am really getting hung up on. 

interface GigabitEthernet1/0/8
description WiredISE Normal Port
switchport access vlan 13
switchport mode access
switchport voice vlan 10
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-MAB
ip dhcp snooping limit rate 100

0 Helpful
Customers Also Viewed These Support Documents