10-04-2024 08:31 AM
Hi all,
I'm trying to setup ISE to perform a simple MAB profiling for a printer. For some reason ISE rejects the printer the first time I connect it:
Event | 5400 Authentication failed |
Failure Reason | 15039 Rejected per authorization profile |
I am using an authorization profile that contains a Logical Profile for printers. Within this logical profile I've added the a 'Ricoh-Device' Profiling Profile, which has a profiling condition to look if the Mac address OUI contains 'ricoh'.
When i look up the device in the authentication endpoints I do see the printer with the 'Ricoh-Device' endpoint profile and the authentication failure reason, which is Rejected per authorization profile. Once i cycle the switchport manually, the device is getting accepted and placed into my printer VLAN. After that the endpoint store is listing that it is using the correct authorization policy.
I am hoping that someone can point me into the right direction. manually bouncing the port is not feasible, Can anyone help me finding out why this is happening?
Setup:
- 2x ISE Node with all personas ( 3.4.0.608 ), hosted in Azure.
- NAD: Various Cisco Meraki switches, my test lab is a MS120-8FP
Access policy:
Authorization policy:
1th attempt log:
Step ID | Description | Latency (ms) | |
11001 | Received RADIUS Access-Request | ||
11017 | RADIUS created a new session | 0 | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | 1 | |
15049 | Evaluating Policy Group | 0 | |
15008 | Evaluating Service Selection Policy | 0 | |
15041 | Evaluating Identity Policy | 1 | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | 1 | |
22072 | Selected identity source sequence - anonymized_AD_Sequence | 0 | |
15013 | Selected Identity Source - anonymized-AD | 1 | |
24432 | Looking up user in Active Directory - anonymized-AD | 0 | |
24325 | Resolving identity - <mac address anonymized> | 20 | |
24313 | Search for matching accounts at join point - anonymized.local | 1 | |
24318 | No matching account found in forest - anonymized.local | 0 | |
24367 | Skipping unusable domain - anonymized trust is one-way | 0 | |
24367 | Skipping unusable domain - anonymized trust is one-way | 0 | |
24367 | Skipping unusable domain - anonymized trust is one-way | 0 | |
24322 | Identity resolution detected no matching account | 0 | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | 0 | |
24412 | User not found in Active Directory - anonymized-AD | 0 | |
15013 | Selected Identity Source - Internal Endpoints | 0 | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - <mac address, anonymized> | 0 | |
24217 | The host is not found in the internal endpoints identity store | 2 | |
22016 | Identity sequence completed iterating the IDStores | 0 | |
22056 | Subject not found in the applicable identity store(s) | 1 | |
22058 | The advanced option that is configured for an unknown user is used | 0 | |
22060 | The 'Continue' advanced option is configured in case of a failed authentication request | 0 | |
15036 | Evaluating Authorization Policy | 0 | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - <mac address anonymized> | 0 | |
24217 | The host is not found in the internal endpoints identity store | 2 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 6 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
24432 | Looking up user in Active Directory - anonymized-AD | 1 | |
24325 | Resolving identity - <mac address, anonymized> | 4 | |
24313 | Search for matching accounts at join point - anonymized.domain | 0 | |
24318 | No matching account found in forest - anonymized.domain | 0 | |
24367 | Skipping unusable domain - anonymized,Domain trust is one-way | 0 | |
24367 | Skipping unusable domain - anonymizedDomain trust is one-way | 0 | |
24367 | Skipping unusable domain - anonymized,Domain trust is one-way | 0 | |
24322 | Identity resolution detected no matching account | 0 | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | 0 | |
24412 | User not found in Active Directory - anonymized-AD | 0 | |
15048 | Queried PIP - anonymized-AD.ExternalGroups | 4 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 0 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 2 | |
15048 | Queried PIP - EndPoints.EndPointPolicy | 1 | |
15048 | Queried PIP - EndPoints.LogicalProfile | 1 | |
15016 | Selected Authorization Profile - DenyTest | 0 | |
15039 | Rejected per authorization profile | 0 | |
11003 | Returned RADIUS Access-Reject | 1 |
2th log after port bounce:
Steps
|
10-04-2024 10:16 AM
In ISE
OUI is take from first three numbers of MAC.
MHM
10-05-2024 03:45 PM
Thanks,
I don't think that is unique to ISE, its well documented in IEEE 802 related RFC's that the first 24 bits from the 48 bits MAC address is the OUI.
10-05-2024 03:58 PM
ricoh <<- this make me think that OUI is wrong are you sure mac address start with this ?
Also MAB for printer dont use CoA' CoA mainly use when you have guest.
MAB is straight process' send call-back ISE use wired-mab policy and then send access-accept with vlan/dacl authz.
Why you have CoA for what ?
MHM
10-04-2024 01:46 PM
@Jagermeister what you're describing is a text book example of what happens when CoA (Change of Authorization) is not working. CoA allows the RADIUS server to send a message to the NAD to re-authorize the session it can do other things too but for profiling ISE will send a CoA Reauth). Therefore check that your Network Device in ISE has CoA/Dynamic Authorization checkbox ticked - Cisco uses UDP/1700 for this. On the NAD, check that dynamic authorization is enabled - and also, ensure that the RADIUS shared secret matches that of the device define in ISE. And ... this caught me recently, if your RADIUS traffic run inside a VRF on the switch, then ensure that the dynamic authorization mentions the vrf name. This of course applies to all other RADIUS commands.
Once you have working CoA, you will see this in the ISE Live Logs, and then profiling becomes a plug-and-play experience.
10-05-2024 03:35 PM
Hi Arne, thanks for replying.
I expected issues with CoA indeed so I already made sure that all the settings were correct. I checked again, and my NAD configuration seems OK.
I currently am reproducing the situation in the following manner:
1. I delete the endpoint from the endpoint store, this should trigger a CoA
2. supplicant on switchport is deauthenticated
3. Supplicant is appearing again in endpoint store now, hitting on my default deny authorization policy
4. After waiting quite some time (~15 minutes), the supplicant is granted access to the network and the Meraki switch event logs show "event type; RADIUS dynamic VLAN assignment"
The take a closer look i've made a pcap and I have let it run until the client got authenticated again (hiding first 2 octets for privacy):
It seems that it does send the CoA that's triggered by the default 'Endpoint Delete' profiler exception action. As you can see it gets acknowledged as well. After that I see a bunch of new CoA requests, all containing VSA: t=Cisco-AVPair(1) l=35 val=subscriber:command=reauthenticate, but the switch never sends an ACK on those. Even though it doesn't acknowledge the last, the supplicant still gains access after waiting for ~15 minutes. Manually triggering CoA's from the end point store also seems to work (getting ack's on those) .
Any idea?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide