Solved: CIsco C3850 + ISE reauthentication

Rovshan91 · ‎02-28-2022

I neew switch to send authetication link to host , so i can check is there antivirus and any connect on host

So every thing working fine even fater connection user gets special vlan, then switch gets link ( i can see it in session infprmation) but this link doesn`t go to host so i it can be authenticated.

Thats config that i made

aaa server radius dynamic-author
client 10.10.13.13
server-key 7 15514F2E05282E2F7E6A637B36131E2F537618
auth-type any
ignore session-key
ignore server-key
!

!
aaa server radius dynamic-author
client 10.10.13.13
server-key 7 15514F2E05282E2F7E6A637B36131E2F537618
auth-type any
ignore session-key
ignore server-key

!

ip access-list extended CISCOCWAURLREDIRECTACL

deny ip any host 10.10.13.13
deny ip any host 10.10.13.14
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
permit tcp any any eq www

!

ip http server
ip http banner
ip http secure-server

!

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 25
!

Interseting thing that same config works on WS-C2960L-24TS-LL

Mike.Cifelli · ‎03-02-2022

A couple of things to try/consider. If you wish for the switch to send an eap-request to initiate reauthentication:

Under your port config:

#authentication periodic --default value is 3600 seconds; if you want to change this add the command below too:

#authentication timer reauthenticate <###>

Note that you can also dynamically push reauth values via ISE policy if you wish. Lastly, this may help you too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

View solution in original post

Aref Alsouqi · ‎02-28-2022

Are the endpoints getting an IP address from the DHCP server? on the redirect ACL you shared above it doesn't seem to have a deny rule to not to redirect the DHCP traffic! you should have an entry similar to "deny udp any eq bootpc any eq bootps". Also, do you have any dACL applied to those ports? if so, make sure this traffic is allowed on the dACL, otherwise it won't hit the redirect ACL.

Although it is not the case here but just as a side note, please keep in mind that the 2960-X switches order of operation when it comes to the redirect ACLs is totally different than the switches running the IOS XE code such as the C3850. Take a look at this post of mine for more info on this:

https://bluenetsec.com/redirect-acl-with-c9300-switches/

Aref Alsouqi · ‎02-28-2022

Please ignore my note about the DHCP redirect traffic, re-reading your shared configs you have already the entry to not to redirect the DHCP traffic which is "deny udp any eq bootpc any".

Rovshan91 · ‎03-01-2022

Yes , they get ip from isolated vlan, but after İt they didn't get Reauthentication link and so cant authenticate

Mike.Cifelli · ‎03-02-2022

A couple of things to try/consider. If you wish for the switch to send an eap-request to initiate reauthentication:

Under your port config:

#authentication periodic --default value is 3600 seconds; if you want to change this add the command below too:

#authentication timer reauthenticate <###>

Note that you can also dynamically push reauth values via ISE policy if you wish. Lastly, this may help you too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Veysaloglu · ‎03-03-2022

The problem was Device-tracking comman under the interface . And now every thing is working fine

thomas · ‎03-06-2022

See ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations.