Solved: Authenticating already connected devices on IOS XE CPL Switches

paul · ‎02-02-2018

I am having an issue getting a XE switch with CPL to authenticate existing connection when I apply the configuration template to the interfaces. This is normal. On non-CPL switches I simply do a "clear auth session" followed by a "clear mac address-table dynamic". When the MAC address table is repopulated the authentication process is run. This doesn't happen on CPL. If I do a "clear access-session" followed by "clear mac address-table dynamic", there are no authentication sessions showing up even though I see the MAC addresses show back up in the MAC address table. If I bounce the port the authentications work just fine.

I haven't determined if maybe there is a bug with the "clear mac address-table dynamic" not actually clearing out the MAC address table.

If there a different way I should be starting sessions over on XE CPL switches?

hariholla · ‎02-05-2018

Hi Paul,

I tested this in my lab and what I notice is that this appears to be a bug in the new style. Since the MAC address is programmed statically, the 'clear mac address-table' command has no impact, the difference I see between legacy and new-style is that when I issue a 'clear authentication session' command the static mac address is cleared too, while with 'clear access-session' this doesn't happen. Without a "session start" (IOS detecting a new mac address on the port), there won't be new auth session context built around it, port bounce makes the switch relearn the mac address, hence a workaround. Will raise a bug and follow up with our developers. Hope this helps..

Cheers,

~Hari

c3850-switch#show auth sessions interface Gi 1/0/3 | inc Address|---|Auth

Interface    MAC Address    Method Domain Status Fg Session ID

----------------------------------------------------------------------

Gi1/0/3      1c17.d341.d0ce mab    VOICE Auth      AC14FE0100000FAD0024EEEC

c3850-switch#

c3850-switch#show mac address-table interface gigabitEthernet 1/0/3

          Mac Address Table

-------------------------------------------

Vlan    Mac Address      Type        Ports

----    -----------      --------    -----

101    1c17.d341.d0ce    STATIC      Gi1/0/3

Total Mac Addresses for this criterion: 1

c3850-switch#clear authentication sessions interface gigabitEthernet 1/0/3

c3850-switch#show mac address-table interface gigabitEthernet 1/0/3

          Mac Address Table

-------------------------------------------

Vlan    Mac Address      Type        Ports

----    -----------      --------    -----

c3850-switch#

View solution in original post

hariholla · ‎02-05-2018

Hi Paul,

Could you share the interface and policy-map configurations?

~Hari

paul · ‎02-05-2018

Here you go. This is the template we are using. I am not worried about the template as I and other ISE engineers here have used it on ISE installs. I am just asking how to properly clear authentication sessions and get them to restart. As I said on the original post a “clear auth session” and “clear mac address-table dynamic” always works on non-CPL switches.

aaa group server radius ISE-RADIUS

server name

!

!**CPL**

!

ip access-list extended PERMIT-ANY

permit ip any any

!

service-template CRITICAL

description Apply When none of the RADIUS servers are reachable

access-group PERMIT-ANY

!

class-map type control subscriber match-any AAA-DOWN

match result-type aaa-timeout

!

class-map type control subscriber match-all DOT1X-FAILED

match method dot1x

match result-type method dot1x authoritative

!

policy-map type control subscriber DOT1X-DEFAULT

event session-started match-all

10 class always do-all

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

event violation match-all

10 class always do-all

10 restrict

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-failure match-first

10 class AAA-DOWN do-all

10 authorize

20 activate service-template CRITICAL

30 terminate dot1x

40 terminate mab

50 pause reauthentication

20 class DOT1X-FAILED do-all

10 terminate dot1x

20 authenticate using mab priority 20

event aaa-available match-all

10 class always do-all

10 clear-session

!

!**PORT CONFIG**

!

interface GigabitEthernet1/0/10

description ISE-802.1x

switchport mode access

authentication periodic

authentication timer reauthenticate server

access-session control-direction in

access-session port-control auto

no access-session closed

mab

dot1x pae authenticator

dot1x timeout tx-period 7

service-policy type control subscriber DOT1X-DEFAULT

!

hariholla · ‎02-05-2018

Hi Paul,

I tested this in my lab and what I notice is that this appears to be a bug in the new style. Since the MAC address is programmed statically, the 'clear mac address-table' command has no impact, the difference I see between legacy and new-style is that when I issue a 'clear authentication session' command the static mac address is cleared too, while with 'clear access-session' this doesn't happen. Without a "session start" (IOS detecting a new mac address on the port), there won't be new auth session context built around it, port bounce makes the switch relearn the mac address, hence a workaround. Will raise a bug and follow up with our developers. Hope this helps..

Cheers,

~Hari

c3850-switch#show auth sessions interface Gi 1/0/3 | inc Address|---|Auth

Interface    MAC Address    Method Domain Status Fg Session ID

----------------------------------------------------------------------

Gi1/0/3      1c17.d341.d0ce mab    VOICE Auth      AC14FE0100000FAD0024EEEC

c3850-switch#

c3850-switch#show mac address-table interface gigabitEthernet 1/0/3

          Mac Address Table

-------------------------------------------

Vlan    Mac Address      Type        Ports

----    -----------      --------    -----

101    1c17.d341.d0ce    STATIC      Gi1/0/3

Total Mac Addresses for this criterion: 1

c3850-switch#clear authentication sessions interface gigabitEthernet 1/0/3

c3850-switch#show mac address-table interface gigabitEthernet 1/0/3

          Mac Address Table

-------------------------------------------

Vlan    Mac Address      Type        Ports

----    -----------      --------    -----

c3850-switch#

paul · ‎02-05-2018

Yeah I sort of figured that was what was happening. Obviously, doing a port bounce is not an option if we are trying to unobtrusively put the switch into Monitor mode.

Thanks for checking on this.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

paul · ‎02-06-2018

One question I have is when you initially deploy the template to the interface the MAC address entry is not static. Shouldn’t the MAC address get authenticated or a “clear mac address-table dynamic” work? I am seeing this issue even on the initial application of the template. I have to bounce the port to get authentications to show up. The 802.1x once will work right away because they are responding to the EAPol, but MAB ones aren’t showing up without a port bounce.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

gbekmezi-DD · ‎02-06-2018

In my tests I can trigger a reauthentication after applying a different template by issuing the command “clear authentication session”

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.