Solved: Re: Cisco ISE 2.4 static IP assigned devices problem

azerturkbank1 · ‎12-17-2019

ISE ver 2.4 patch 10

I have implemented dot1x and MAB only deployment.

dot1x works well over certificate, profiling with the dynamic IP assigned devices also works well(exp. IP phones)

There are several devices we are obliged to assign static IP, like NVRs or Fingerprint devices.

These devices are statically profiled based on mac and IP address( exp.if mac aaa.aaa.aaa and IP is x.x.x.x then profile NVR1)

if port is not set to close mode(authentication open), device is authenticated after a while. Even it is in open mode, if I shut/no shut the port, device again stays in unauthorized state for a while. After a period of time, ISE again authenticate this device.

But if I put the port to close mode, device is never authenticated.

#aaa confi

aaa group server radius ISE-Group
server name ISE1
server name ISE2
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ISE-Group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ISE-Group
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-Group

##Port config

interface GigabitEthernet1/0/6
description NVR1
switchport access vlan 4
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation replace

ip device tracking probe delay 10
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable

#radius config
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 10 tries 3
radius-server retry method reorder
radius-server retransmit 1
radius-server timeout 3

ip device tracking is also enabled.

in open mode, I can see the ip and mac binding in the device tracking database, however, if I change it to close mode, it is vanished.

Do you have any idea?

Thank you in advance!

Colby LeMaire · ‎12-19-2019

There are dumb devices out there that sometimes will disable their network interface if they can't communicate within a certain amount of time. I have seen this with badge readers and other miscellaneous devices. If you were to reboot the device, it would start to send traffic. You may end up having to assign a pre-authentication ACL that allows the device to communicate with its necessary servers without authentication. That way, if someone were to unplug the device and try to use the port, they would be limited on what they could do without authentication. Also, if the device is a fingerprint reader for door access or badge reader where the ethernet cable is not exposed, then you could treat the device as "physically secure" and not configure the port for 802.1x/MAB. Instead, use port security with sticky MAC. Or as I said, you can use a pre-auth ACL that allows critical services for those devices.

View solution in original post

Jason Kunst · ‎12-20-2019

@Colby LeMaire wrote:

There are dumb devices out there that sometimes will disable their network interface if they can't communicate within a certain amount of time. I have seen this with badge readers and other miscellaneous devices. If you were to reboot the device, it would start to send traffic. You may end up having to assign a pre-authentication ACL that allows the device to communicate with its necessary servers without authentication. That way, if someone were to unplug the device and try to use the port, they would be limited on what they could do without authentication. Also, if the device is a fingerprint reader for door access or badge reader where the ethernet cable is not exposed, then you could treat the device as "physically secure" and not configure the port for 802.1x/MAB. Instead, use port security with sticky MAC. Or as I said, you can use a pre-auth ACL that allows critical services for those devices.

Also keep in mind in closed mode the devices can't communicate until profiled right? Closed mode should only be for dot1x or devices that are pre-authorized into a specific group by MAC to give specific access

View solution in original post

Timothy Abbott · ‎12-18-2019

Static IP assignment and profiling is a bit challenging. While the switch may contain the MAC to IP binding, that doesn't necessarily mean that information is being shared with ISE. Typically, the endpoint will need to send traffic to trigger the authentication which will then allow ISE to authorize the port.

Regards,
-Tim

azerturkbank1 · ‎12-18-2019

Hello Timothy,

switch has mac to ip binding in arp access-list which I have added them from the arp inspection perspective.

You mention endpoint need to send traffic to trigger authentication. Fox example it is fingerprint device, or network camera.

How can I make them to send data. Once they turned on, start to record and server connects them in order to grab data.

What would you advise me to do?

Colby LeMaire · ‎12-19-2019

There are dumb devices out there that sometimes will disable their network interface if they can't communicate within a certain amount of time. I have seen this with badge readers and other miscellaneous devices. If you were to reboot the device, it would start to send traffic. You may end up having to assign a pre-authentication ACL that allows the device to communicate with its necessary servers without authentication. That way, if someone were to unplug the device and try to use the port, they would be limited on what they could do without authentication. Also, if the device is a fingerprint reader for door access or badge reader where the ethernet cable is not exposed, then you could treat the device as "physically secure" and not configure the port for 802.1x/MAB. Instead, use port security with sticky MAC. Or as I said, you can use a pre-auth ACL that allows critical services for those devices.

Jason Kunst · ‎12-20-2019

@Colby LeMaire wrote:

There are dumb devices out there that sometimes will disable their network interface if they can't communicate within a certain amount of time. I have seen this with badge readers and other miscellaneous devices. If you were to reboot the device, it would start to send traffic. You may end up having to assign a pre-authentication ACL that allows the device to communicate with its necessary servers without authentication. That way, if someone were to unplug the device and try to use the port, they would be limited on what they could do without authentication. Also, if the device is a fingerprint reader for door access or badge reader where the ethernet cable is not exposed, then you could treat the device as "physically secure" and not configure the port for 802.1x/MAB. Instead, use port security with sticky MAC. Or as I said, you can use a pre-auth ACL that allows critical services for those devices.

Also keep in mind in closed mode the devices can't communicate until profiled right? Closed mode should only be for dot1x or devices that are pre-authorized into a specific group by MAC to give specific access