In regards to the non

jhager001 · ‎04-10-2017

I have Cisco ISE version 2.0.0.306 and I'm having trouble with the port level commands and it not wanting to block non domain devices... Cisco TAC insisted that I put "access-session closed" on the port level commands but that ends up blocking my known domain devices as well, and usually takes a reboot to correct the Ethernet authentication.

ISE Configuration is the following :

aaa authentication login default local
aaa authentication login local_webauth local
aaa authentication login CON none
aaa authentication login VTY group AG_TACACS local
aaa authentication enable default group AG_TACACS enable
aaa authentication dot1x default group ISE_RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group AG_TACACS local if-authenticated
aaa authorization network default group ISE_RADIUS
aaa authorization network auth-list group ISE_RADIUS
aaa authorization auth-proxy default group ISE_RADIUS
aaa authorization credential-download default local
aaa accounting update periodic 15
aaa accounting identity default start-stop group ISE_RADIUS
aaa accounting exec default start-stop group AG_TACACS
aaa accounting system default start-stop group ISE_RADIUS

!

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative

!

policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-first
10 class always do-all
10 unauthorize
20 terminate dot1x
30 terminate mab

!

Typical port looks as the following

interface GigabitEthernet4/0/32
description CP 2.3-4 port 40
switchport access vlan 507
switchport mode access
switchport nonegotiate
switchport voice vlan 537
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber DOT1X-DEFAULT
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

is there a way to speed up the authentication of Dot1x for known devices? I'm pretty new with the configuration of Cisco ISE so i'm not sure if I have something in there that shouldn't be, or if I have misconfigured something.

When I plug in a known domain device, the Ethernet adapter will sit on "Authentication failed", although a reboot will correct this.

agrissimanis · ‎04-13-2017

In regards to the non-corporate devices allowed through - if you originally planned to do low-impact mode (that is without the "access-session closed" command on the interface), you would need a pre-auth ACL on the port.

The pre-auth ACL would allow only select protocols through, until the endpoint is authenticated. (in which case the pre-auth ACL gets overridden by a dACL from ISE). If the endpoint never passes authentication then the restrictive pre-auth ACL remains in effect and the endpoint gets very limited access to the network.

In your case, the port was in low-impact mode (that is the default setting in IBNS 2.0), non-corporate endpoints failed authentication, but were allowed to access the network because there was no pre-auth ACL blocking the traffic.

I think this could have been the cause of the issue.

Cisco ISE not blocking non-domain devices