Solved: Re: Authentication violation - Shutdown - not shutting down the port

laurathaqi · ‎08-23-2021

Dear community,

I have enabled Cisco ISE MAB in a port as following:

interface GigabitEthernet1/0/8
switchport access vlan 2
switchport mode access
switchport voice vlan 3
authentication order mab webauth
authentication priority mab webauth
authentication port-control auto
mab
spanning-tree portfast

!

Port authentication is single-host, however when I plug another device in the switch port, the port does not go into the shutdown state.

The idea is to have one mac address only to authenticate in the port and then another one tries, to do into a shutdown state.

Switch: Catalyst 4300

The logs in ISE show that the device is rejected access correctly. But the switch port does not show a shutdown state in the configured port. Any idea what the issue could be?

Looking forward to hearing from you.

Thank you,

Laura

mitchp75 · ‎08-24-2021

If you want ISE to only permit access to specific MAC addresses and deny the rest you need to define that list inside of ISE and use it in an Authorization Policy. Maintaining a MAB database has been a point of frustration for me too, if anyone else has suggestions feel free to speak up.

View solution in original post

Nadia Bbz · ‎08-23-2021

Hello;

you could use port-security , it works

switchport port-security

switchport port-security violation shutdown
switchport port-security aging time 5
switchport port-security aging type inactivity

laurathaqi · ‎08-24-2021

Hi @Nadia Bbz

Based on research and community comments, its not recommended to use ISE configuration together with "Switchport port-security".

My aim was to use only ISE to achieve the exact result of shutting down the port when MAC changes. This so, when another MAC tries to authenticate, the port becomes unavailable at all, and not to only reject the port.

Thank you,

Laura

mitchp75 · ‎08-23-2021

Two things, 1st - is the Switch Port in 'closed' mode or 'monitor' mode? access-session closed is the command that should be on the port if closed. My feeling is the Switch isn't enforcing what ISE is sending because its not in closed mode. 2nd - Single Host from my understanding means 1 MAC address is allowed on the port at 1 time so unplugging a PC and putting in another one is fine because the other one is no longer there.

laurathaqi · ‎08-24-2021

Hi @mitchp75

The interface is in closed mode, however the shutdown of the port does not happen still! It seems to me that based on the content you provided from the following link: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-2464.pdf indeed the single host mode is for one mac at a time only, and not for a mac address for a port forever.

What I want is only mac address for a port, and if unplugged and tried to plug another device, the port of the switch to go in shutdown state. Any suggestions how I could achieve this via ISE, and not switchport control.

Looking forward to hearing from you.

Thank you,

Laura

Rob Ingram · ‎08-24-2021

@laurathaqi

Perhaps use the RADIUS attribute "NAS-Port-ID" in an AuthZ rule to the identify the interface, combine that condition with NAS-IP-Address or DEVICE Type to ensure only that MAC address can be authorised to that specific interface on that switch.

Create another rule using the same conditions and DenyAccess for all other MAC addresses.

fatalXerror · ‎08-26-2021

Hi @laurathaqi , I think your use-case is not possible in ISE but rather you may just use port-security mac-address sticky in which you will specify the mac-address that is recognized by the switchport.

mitchp75 · ‎08-24-2021

If you want ISE to only permit access to specific MAC addresses and deny the rest you need to define that list inside of ISE and use it in an Authorization Policy. Maintaining a MAB database has been a point of frustration for me too, if anyone else has suggestions feel free to speak up.