Solved: Re: Cisco ISE 1.2 : Problem with 802.1x authentication

quangle1993 · ‎12-21-2016

Hi everyone

I have a problem with 802.1x. Here is my topology :

DHCP address : 192.168.11.1

ISE address : 192.168.11.69

I configure on Switch like this :

ena
conf t
no ip domain lookup
lin con 0
logg syn
exit
hostname PSN

ip routing
vlan 139
name EVNUSER
vlan 150
name SERVER
vlan 1250
name NOC
exit

int vlan 139
ip add 10.137.4.1 255.255.255.0
ip helper-address 192.168.11.69

ip helper-address 192.168.11.1
no shut
int vlan 150
ip add 192.168.11.2 255.255.255.0
no shut
int e0/1
switchport access vlan 139
int e0/0
switchport access vlan 150
int e0/2
switchport access vlan 150
exit

ip domain-name hcmpc.com.vn
username admin priv 15 sec evnhcmpc
enable secret evnhcmpc
crypto key generate rsa gen modulus 1024
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
radius-server host 192.168.11.69 auth-port 1812 acct-port 1813 key evnhcmpc
radius-server dead-crite ti 30 tries 3
radius-server vsa send account
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
ip radius source-interface vlan139
aaa server radius dynamic-author
client 192.168.11.69 server-key evnhcmpc
exit
dot1x system-auth-control
ip device tracking
int e0/1
switchp host
switchp acce vlan 139
switchport mode access
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
exit

Cause i only want user that enable 802.1x can access to network so i don't use mab
It work fine when i turn on 802.1x on user-win7. Only valid username and password can access.
But when i turn off 802.1x on user-win7. It still can receive IP from DHCP and can access to network.
Here is my policy :
Authentication :
Name : 802.1x-ONLY If Radius:NAS-Port-Type EQUALS Ethernet Allow Protocols : Default Network Access

Default : use Internal Users
Default Rule (If no match) : Allow Protocols : Default Network Access and use : DenyAccess

Authorization :
802.1x-ONLY if IT-User AND (Radius:NAS-Port-Type EQUALS Ethernet AND Network Access:AuthenticationStatus EQUALS AuthenticationPassed ) then PermitAccess
Default if no matches, then DenyAccess

I don't why user-computer that not enable 802.1x can receive IP from DHCP Server and access to network

I think may be it cause i type : ip helper-address 192.168.11.1 (DHCP server address)

But when i don't type it even coputer enable 802.1x and valid username/password still can't receive IP from DHCP aithough thay receive authorization success.

faylee · ‎12-21-2016

You have "authentication open" enabled. Authentication open means that even if 802.1x fails, connectivity (like getting an IP address) is still possible.

HTH,

Fay-Ann

View solution in original post

faylee · ‎12-21-2016

You have "authentication open" enabled. Authentication open means that even if 802.1x fails, connectivity (like getting an IP address) is still possible.

HTH,

Fay-Ann

quangle1993 · ‎12-25-2016

Hi, thank for your answer but even when i remove "authentication open". ordinary pc still can access and recieve ip from dhcp.

I think the problem is in int vlan 139 which i use to define on ISE. The config of interface vlan 139 below :

interface Vlan139

ip address 10.137.4.1 255.255.255.0

ip helper-address 192.168.11.69

ip helper-address 192.168.11.1

end

i use "p helper-address " point to ISE and DHCP server. Because if i only point to ISE, even USer have authentication 802.1x success still can receive ip address from DHCP. But if i point to DHCP, then any pc can receive ip. What i should do now ??

gbekmezi-DD · ‎12-21-2016

Consider removing authentication open from your configuration if you don’t want any traffic besides 802.1x through before authentication.

quangle1993 · ‎12-25-2016

Hi, thank for your answer but even when i remove "authentication open". ordinary pc still can access and recieve ip from dhcp.

I think the problem is in int vlan 139 which i use to define on ISE. The config of interface vlan 139 below :

interface Vlan139

ip address 10.137.4.1 255.255.255.0

ip helper-address 192.168.11.69

ip helper-address 192.168.11.1

end

i use "p helper-address " point to ISE and DHCP server. Because if i only point to ISE, even USer have authentication 802.1x success still can receive ip address from DHCP. But if i point to DHCP, then any pc can receive ip. What i should do now ??

hslai · ‎12-28-2016

DHCP could be allowed in some pre-auth ACL. For example, 3560CG running Cisco IOS 15.2.xE has a pre-defined pre-auth ACL, which applied to the session when no pre-auth downloadable ACL given:

Extended IP access list preauth_ipv4_acl (per-user)

10 permit udp any any eq domain

20 permit tcp any any eq domain

30 permit udp any eq bootps any

40 permit udp any any eq bootpc

50 permit udp any eq bootpc any

60 deny ip any any

I would suggest you to seek support with our Cisco platform teams by specifying the switch model and Cisco IOS train version, etc.