cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14273
Views
0
Helpful
5
Replies

'authentication control-direction in' in authentication CLOSED mode

Josh Morris
Level 3
Level 3

Switch: 4510R+E, running a DEV version based off 3.6.0

ISE: 1.2.0.899 patch 7

 

Hi, I have been working on a weird issue where some of my clients would randomly drop their IP address and the only way I could get it back was to move their port to authentication open mode. I need to run in closed mode because I change VLANs via MAB. 

I have been working with TAC, and they suggested I add the command 'authentication control-direction in' to my switchport config (below). With the couple tests Ive done, this seems to help. But I would like to understand why. Doesn't the control-direction command somewhat nullify the premise of running in closed mode? I.E. It allows some communication before the device is authorized. Thanks.

interface GigabitEthernet2/18
 switchport access vlan 34
 switchport mode access
 switchport voice vlan 66
 logging event link-status
 authentication event fail action next-method
 authentication event server dead action authorize vlan 34
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

1 Accepted Solution

Accepted Solutions

phosawyer
Level 1
Level 1

I also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.

Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.

when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in

View solution in original post

5 Replies 5

Dave Saunders
Level 1
Level 1

Add this line to the DACL. it will resolve it.

permit udp any eq bootpc any eq bootps

 

Thanks Dave. I'm assuming you mean add this line to the Auth-Default-ACL that gets applied prior to authorization. IN the 4510, it already allows that traffic. Here is the default ACL...

Extended IP access list Auth-Default-ACL
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any

phosawyer
Level 1
Level 1

I also needed to use this command to keep devices authenticated. It was happening with a CCTV system that was an embedded Linux OS. It was on MAB and because it wasn't transmitting any traffic (unlike a noisy windows box) then the switch wouldn't be able to reauth it as it had no mac address to be able to auth, so would show up with an 'unknown' in the MAC field.

Basically it allows traffic to flow out of the port. This enabled the device to be able to receive HTTP traffic and made it respond and then the switch could auth it again once the device sent a frame.

when you do a show authentication sessions you will notice a Oper control dir: both will change to Oper control dir: in

yenaungoo
Level 1
Level 1

Hi I also have similar issue with MAB (authentication closed mode) for one legacy printer model (just sometimes).

- ISE 1.2, Cisco Switches (C3560, 2960X with IOS 12.2(55)SE7)

 

Can it be ISE / IOS bug issue, if so, can help to share the Bug ID?

Please also suggest how to verify the default rule "Auth-Default-ACL".

Thanks,

Neither ISE or Switch are the root cause of the issue. This is the behavior of some hosts (Printers, Cameras, PCs, ...) that will go into sleeping mode and they need a WoL magic packet from the switch to wake up, so authentication control-direction in can help in such scenarios.