Solved: authentication order and ISE authorization policys

andrewswanson · ‎01-29-2015

Hello

I'm looking at configuring ISE to authenticate AD joined PC's (using Anyconnect NAM for user and machine authentication with EAP chaining) and to profile Cisco IP phones. The Pc's and phones connect on the same switchport. The switchport configuration for this was:

switchport
switchport access vlan 102
switchport mode access
switchport voice vlan 101
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator

The above config worked fine with the "show authentication sessions" on the switch showing dot1x as the method for the DATA domain and mab for VOICE. I decided to reverse the authentication order/priority on the switch interface so that the phone would be authenticated first with mab. This resulted in the "show authentication sessions" on the switch showing mab as the method for both DATA and VOICE domains.

To prevent this I created an authorization policy on ISE to respond with an "Access-Reject" when the "UseCase = Host Lookup" and the Endpoint Identity Group was Unknown (the group containing the AD PC's). This worked fine - the switch would attempt to authenticate both PC and phone using mab. When an "Access-Reject" was received for the PC, the switch would move onto the next method and the PC would be successfully authenticated using dot1x.

The only problem with this is that the ISE logs soon become full with the denys caused by the authorisation policy - is there any way to acheive the above scenario without impacting on the logs?

Thanks
Andy

nspasov · ‎01-29-2015

Hi Andy-

Have you tried to have the config in the following manner:

authentication order mab dot1x
authentication priority dot1x mab

This "order" will tell the switchport to always start with mab but the "priority" keyword will allow the switchport to accept dot1x authentications for dot1x capable devices.

For more info check out this link:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎01-29-2015

Hi Andy-

Have you tried to have the config in the following manner:

authentication order mab dot1x
authentication priority dot1x mab

This "order" will tell the switchport to always start with mab but the "priority" keyword will allow the switchport to accept dot1x authentications for dot1x capable devices.

For more info check out this link:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

Thank you for rating helpful posts!

Thank you for rating helpful posts!

andrewswanson · ‎01-30-2015

Hi Neno. I made the suggested change and its a great improvement. I still see a deny (for mab) entry in the logs when the AD PC is booting because the Anyconnect NAM supplicant hasn't loaded yet. Once the AD PC is booted and the supplicant is loaded, 802.1x takes priority over mab so there are no more denys for mab in the logs.

Many thanks
Andy

nspasov · ‎01-30-2015

Glad I could help! :)

Thank you for rating helpful posts!