Solved: Can't Connect to Endpoint when user logs off

jmartin@mooresvillenc.gov · ‎03-24-2020

We are in the process of deploying ISE 2.6 Patch 3 and are using Cisco AnyConnect Network Access Manager for EAP Chaining. We have ran into a a situation where whenever no user is logged into the machine it becomes unreachable (no ping, VNC, etc.). I have attached screenshots of our NAM configuration from the AnyConnect Profile Editor. Are there additional settings in ISE that could be causing this behavior? We currently have a rule in our Policy in ISE that is Temp Roll Out rule that basically allows anything that is profiled as a Workstation, etc. to connect. I have a TAC case open as well but they aren't being very responsive.

Mike.Cifelli · ‎03-24-2020

Could be a dacl issue. I would verify your dacl contains (allows) your test host where you are pinging from. Dacl in ISE can be found here: Policy->Policy Elements->Results->Authorization->Downloadable ACLs
Can you share that interface config as well please

View solution in original post

Mike.Cifelli · ‎03-24-2020

Can you please share screenshots or further describe how you have your test authz policies configured? There is a condition you should be utilizing that would allow access based on the eap-chaining result. It sounds like the issue you are facing is that hosts are dropping off the network when eap-chaining is user fail and machine pass. The authz condition is this: Network Access: EAPChainingResult EQUALS: User failed and machine succeeded. In your test case you would want to maybe push this type of result into a restricted area.

jmartin@mooresvillenc.gov · ‎03-24-2020

I've attached screenshots of our Authz Policy

Cristian Matei · ‎03-24-2020

Hi,

The required three authorisation policies seem to be in place. Ensure that the configuration is correct though, following this guide. When only the machine is authenticated, what is the status on ISE (what is the currently pushed policy) and on the switch "show authentication session" for the interface.

Regards,

Cristian Matei.

Mike.Cifelli · ‎03-24-2020

Authz policy is configured as expected (right). Can you share what is configured in this authz profile (Computer Wired Access)? It looks like you have a few hundred hits on that authz policy. As @Cristian Matei mentioned see what the switch is showing for auth detail.

jmartin@mooresvillenc.gov · ‎03-24-2020

I can't seem to find the Computer Wired Access auth profile to be able to check the configuration. I'll be glad to provide some screenshots but I seem to only be able to find it listed in the Policy Set

Mike.Cifelli · ‎03-24-2020

Policy->Policy Elements->Results->Authorization->Authz Profiles

jmartin@mooresvillenc.gov · ‎03-24-2020

jmartin@mooresvillenc.gov · ‎03-24-2020

This is what the switch port shows: sh auth sessions | i Gi3/11
Gi3/11 d89e.f39e.7d5e dot1x DATA Auth 0A800A050000387C2389F8B4

Mike.Cifelli · ‎03-24-2020

What vlan is being pushed? Is this vlan in the switch vlan.db? Show from switch: #Show auth session interface XXX detail

jmartin@mooresvillenc.gov · ‎03-24-2020

Mike.Cifelli · ‎03-24-2020

Could be a dacl issue. I would verify your dacl contains (allows) your test host where you are pinging from. Dacl in ISE can be found here: Policy->Policy Elements->Results->Authorization->Downloadable ACLs
Can you share that interface config as well please

jmartin@mooresvillenc.gov · ‎03-24-2020

switchport access vlan 11
switchport mode access
switchport voice vlan 64
switchport port-security maximum 5
authentication event server dead action authorize vlan 254
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer inactivity 60
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping trust
end

jmartin@mooresvillenc.gov · ‎03-24-2020

I don't think that I have a DACL assigned to that Authz Profile. My DACL config is:

permit udp any eq 68 any eq 67
permit udp any any eq 53
permit ip any host <DNS SERVER IP>
permit ip any host <DC IP>
deny ip any any

Mike.Cifelli · ‎03-24-2020

Your sh auth detail output (server policies) tells me ISE authz profile is pushing dacl. Does sh ip access-list int XX return anything? Try adding your test host iip n that dacl, then force reauth, then try to ping.
I would take a peek at an admin guide: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-open-auth.html#GUID-65E5A890-B7C0-43AC-976D-D76BF6135085
Also, for future reference I recommend starting with less configs, get it working, then slowly add things back. May help with identifying root cause. Check out labminutes.com/sec as well for free config tutorials. HTH!