cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1774
Views
100
Helpful
6
Replies

CIsco C3850 + ISE reauthentication

Rovshan91
Level 1
Level 1

I neew switch to send authetication link to host , so i can check is there antivirus and any connect on host

So every thing working fine even fater connection user gets special vlan, then switch gets link ( i can see it in session infprmation) but this link doesn`t go to host so i it can be authenticated.  

 

Thats config that i made 

 

aaa server radius dynamic-author
client 10.10.13.13
server-key 7 15514F2E05282E2F7E6A637B36131E2F537618
auth-type any
ignore session-key
ignore server-key

!
aaa server radius dynamic-author
client 10.10.13.13
server-key 7 15514F2E05282E2F7E6A637B36131E2F537618
auth-type any
ignore session-key
ignore server-key

!

ip access-list extended CISCOCWAURLREDIRECTACL

deny ip any host 10.10.13.13
deny ip any host 10.10.13.14
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
permit tcp any any eq www

!

ip http server
ip http banner
ip http secure-server

!

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 25
!

Interseting thing that same config works on WS-C2960L-24TS-LL

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

A couple of things to try/consider.  If you wish for the switch to send an eap-request to initiate reauthentication:

Under your port config:

#authentication periodic --default value is 3600 seconds; if you want to change this add the command below too:

#authentication timer reauthenticate <###>

Note that you can also dynamically push reauth values via ISE policy if you wish.  Lastly, this may help you too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

 

View solution in original post

6 Replies 6

Are the endpoints getting an IP address from the DHCP server? on the redirect ACL you shared above it doesn't seem to have a deny rule to not to redirect the DHCP traffic! you should have an entry similar to "deny udp any eq bootpc any eq bootps". Also, do you have any dACL applied to those ports? if so, make sure this traffic is allowed on the dACL, otherwise it won't hit the redirect ACL.

Although it is not the case here but just as a side note, please keep in mind that the 2960-X switches order of operation when it comes to the redirect ACLs is totally different than the switches running the IOS XE code such as the C3850. Take a look at this post of mine for more info on this:

https://bluenetsec.com/redirect-acl-with-c9300-switches/

Please ignore my note about the DHCP redirect traffic, re-reading your shared configs you have already the entry to not to redirect the DHCP traffic which is "deny udp any eq bootpc any".

Yes , they get ip from isolated vlan, but after İt they didn't get Reauthentication link and so cant authenticate

Mike.Cifelli
VIP Alumni
VIP Alumni

A couple of things to try/consider.  If you wish for the switch to send an eap-request to initiate reauthentication:

Under your port config:

#authentication periodic --default value is 3600 seconds; if you want to change this add the command below too:

#authentication timer reauthenticate <###>

Note that you can also dynamically push reauth values via ISE policy if you wish.  Lastly, this may help you too: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

 

Veysaloglu
Level 1
Level 1

The problem was Device-tracking comman under the interface . And now every thing is working fine

thomas
Cisco Employee
Cisco Employee

See ISE Secure Wired Access Prescriptive Deployment Guide for best practice configurations.