Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3810
Views
5
Helpful
12
Replies

Cisco ISE Authorization issue

jm.virtual01
Level 1
Level 1

‎11-19-2018 09:58 PM

Hello,

 

I am working on Cisco ISE 2.2. The issue is that when I have connected multiple devices at through HUB or desktop switch. The connected device got authentication through MAB, that's I need but the other connected device should e authenticate with dot1x

But that device is kept requesting for the authentication multiple times so it quaring multiple time and utilize more resources.

 

When I check the logs from the switch side, I found the dot1.x failed logs and at the cisco ise side, I can see the session but not the authentication pass.

 

I do not know, how can I solve this problem? Is there any suggestion.

 

Also one more question, I am trying to deploy the multi-auth. configuration, can anyone provide me a guideline, how can I deploy it?

0 Helpful
12 Replies 12

ognyan.totev
Level 5
Level 5

‎11-19-2018 10:32 PM

Hi , please share port config on switch side , to see what is configured and share authentication and authorization policy .

I think you have misconfig

0 Helpful

jm.virtual01
Level 1
Level 1
In response to ognyan.totev

‎11-20-2018 07:28 PM

The configuration on the switch,

interface gi yy
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
device-tracking attach-policy IP_Dev
no logging event link-status
load-interval aa
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 
storm-control multicast level 
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
end

 

On the switch, i can see the following logs,

 

1: Nov 11 14:06:55.769 EST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx
 EST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx
: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx

 

It is hitted to unknown MAB authentication policy.

This is happens only for the Dynamic MAC device.

 

Your advice please.

 

 

0 Helpful

ognyan.totev
Level 5
Level 5
In response to jm.virtual01

‎11-20-2018 09:28 PM

If the mac addres is unknown this is normal behaviour. What radius live logs you see ,we cant help if you not share more information

0 Helpful

jm.virtual01
Level 1
Level 1
In response to ognyan.totev

‎11-26-2018 05:31 AM

What the information that you need to investigate this issue in depth?

I have shared you the port config and logs from Switch and ISE end. 

0 Helpful

ognyan.totev
Level 5
Level 5
In response to jm.virtual01

‎11-26-2018 05:48 AM

We need to see radius live logs from ISE

0 Helpful

jm.virtual01
Level 1
Level 1
In response to ognyan.totev

‎11-26-2018 06:30 AM

Here are the live radius logs for some devices. And when i go to the details for the authentication from the live log page, it shows me some steps

 

11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15048 Queried PIP - DEVICE.Stage
  15004 Matched rule - MAB
  15041 Evaluating Identity Policy
  15006 Matched Default Rule
  15013 Selected Identity Source - Internal Endpoints
  24209 Looking up Endpoint in Internal Endpoints IDStore - 
  24211 Found Endpoint in Internal Endpoints IDStore
  22037 Authentication Passed
  15036 Evaluating Authorization Policy
  15048 Queried PIP - EndPoints.LogicalProfile
  24432 Looking up user in Active Directory - acct.XXXX.net
  24325 Resolving identity - 
  24313 Search for matching accounts at join point - XXXX.net
  24318 No matching account found in forest - XXXX.net
  24367 Skipping unusable domain - YYYY.net,Domain trust is one-way
  24367 Skipping unusable domain - mgmt.XXXX.net,Domain trust is one-way
  24322 Identity resolution detected no matching account
  24352 Identity resolution failed - ERROR_NO_SUCH_USER
  24412 User not found in Active Directory - acct.XXXX.net
  15048 Queried PIP - acct.XXXX.net.ExternalGroups
  15004 Matched rule - XXXX Printers
  15016 Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
  15016 Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
  15016 Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
  11002 Returned RADIUS Access-Accept

 

 

 

Time Status Repeat Count Identity Endpoint ID Endpoint Profile Authentication Policy Authorization Policy Authorization Profiles IP Address Network Device Device Port Identity Group
17:32.0 Session 2200 00:0F:E7:07:4B:EB 00:0F:E7:07:4B:EB XXXX_Lutron_Electronics XXXX Wired NAC Policy - Monitor >> MAB >> Default XXXX Wired NAC Policy - Monitor >> XXXX Environmental Device PermitAccess,XXXX_Environmental,AuthZ_Reauth_timer_12hrs   GigabitEthernet0/14
17:31.7 Session 2113 C8:CB:B8:0D:9A:F4 C8:CB:B8:0D:9A:F4 Windows7-Workstation XXXX Wired NAC Policy - Monitor >> MAB >> Default XXXX Wired NAC Policy - Monitor >> XXXX F5 CMDB Prod PermitAccess,AuthZ_Reauth_timer_18hrs 20.30.155.221,0xffd5150958   GigabitEthernet/2
17:31.4 Session 1705 00:1E:CA:FE:CE:60 00:1E:CA:FE:CE:60 Nortel-Device XXXX Wired NAC Policy - Monitor >> MAB >> Default XXXX Wired NAC Policy - Monitor >> XXXX Voice Hardware PermitAccess,XXXX_Voice_Hardware,AuthZ_Reauth_timer_12hrs 20.254.118.43   GigabitEthernet0/29
0 Helpful

ognyan.totev
Level 5
Level 5
In response to jm.virtual01

‎11-26-2018 09:33 PM

Hi , as i see you use multi domain this will allow only 1 mac address on data vlan and 1 mac address on voice vlan . If you dont have global config authentication mac move permit it will always fail. You can try port config with authentication host multi auth.

0 Helpful

paul
Level 10
Level 10
In response to jm.virtual01

‎11-27-2018 04:53 AM

Many switches don't pass 802.1x frames correctly, have you verified you have a switch/hub that does?  I am not talking about the switch you are running authentication on, I am referring to the switch/hub you have hanging off that switch where these devices are plugged into.

0 Helpful

jm.virtual01
Level 1
Level 1
In response to paul

‎11-27-2018 05:22 AM

I never checked how can i check that  thing? On some location there is some specific devices are connected int he network such as HVAC devices for Heat and Vacuum and these devices are connected through the some Intel device. Also there is some other specific devices such as Lab Devices and Monitor Devices. 

0 Helpful

paul
Level 10
Level 10
In response to jm.virtual01

‎11-27-2018 05:29 AM

If you take the same 802.1x device that is failing when connected to the hub/switch and plug it directly into the Cisco switch running authentication and it works then most likely the issue is with the hub/switch no passing 802.1x frames correctly.


Surendra
Cisco Employee
Cisco Employee
In response to jm.virtual01

‎11-27-2018 12:21 PM

If you have a hub connected and there are multiple devices connected behind it , "authentication host-mode multi-auth" does not really the case. You will have to use "authentication host-mode multi-auth". What this does it, it authenticates every device that is connected behind the port. I mean every mac address that is connected behind the port including the hub. 

 

If you configuration is more like below, the performance of the authentication process increases and you would not see those security violations as well.

 

interface gi yy
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
device-tracking attach-policy IP_Dev
no logging event link-status
load-interval aa
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order  mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 
storm-control multicast level 
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
end

 

For more information on what these modes are and what they mean, here is the document that might help you :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-9-0E/15-25E/configuration/guide/xe-390-configuration/dot1x.pdf

0 Helpful

jm.virtual01
Level 1
Level 1
In response to Surendra

‎11-28-2018 10:17 AM

Yes, may be multi auth solve the issue. But have one question about the authentication order.

authentication order  mab dot1x

I believe, we should keep the authentication order as per the priority. I am not sure, can you share your ideas on it?

Why i need to keep the authentication order as you mentioned in your reply? I am very interested about it so can you educate me on this.

0 Helpful
Customers Also Viewed These Support Documents