Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2089
Views
5
Helpful
3
Replies

Cisco ISE Profiling - docking stations without connected devices

AigarsK
Level 1
Level 1

‎02-10-2022 01:17 AM

Hello Everyone,

I have noticed that in my deployment there are way too many failed authentications versus successful ones. After doing some checks I noticed that they are mostly caused by docking stations. Following situation takes place.

 

1. Device is attached to Docking station.

2. Authentication suing 802.1x takes place and device is admitted on network as per policies.

3. Device Disconnects from docking station but Port on switch stays in Connected state (I am fully aware that docking stations would require support for EAP proxy logoff support, but this devices does not support it nor it uses other mechanisms to notify switch that device using network is no longer attached)

4. Session due to port change absence remains

5. Re authentication takes place on port connected to Docking station as per Authorization Profile configured on Cisco ISE

6. As switch is asking for device respond to 802.1x authentication when it is not there, auth for 802.1x Fail (and there is entry in logs for that in Cisco ISE and on switch)

7. Switch then uses next method being MAB

8. As there is no MAB policy for the MAC in Cisco ISE, authentication fails.

9. Retry takes place as this session gets 60 second Restart Timeout (I do not appear to have control over this, please correct me if I am wrong)

 

Last step is the one responsible for numerous failed authentications logged in Cisco ISE. Though out this Step 9 switch port no longer states that there is MAC addresses seen of the client, port state No input and have cases where it is displayed as "Last input never" on show interface .... command.

 

So I have devices a plan to deal with this (please let me know if there is better way of doing this).

! Please note that not all laptops and not all docking stations support or have enabled MAC Address Pass-through.

1. Configure all corporate Authorization Profiles to include Radius Idle Timeout (Radius Attribute 28) - this from what I have found would look at ports "Last Input" and if time specified in Idle-Timeout is grater then session would be torn down.

2. Configure MAB authentication rule which uses profiling for MAC OUI of Docking stations and alow them on network, but place them in dead VLAN and attach dACL with Deny IP ANY ANY and also configure Radius Idle Timeout (Radius Attribute 28)

 

I realize that MAB Authentication policy needs to be set after one used for 802.1x, which already is the case and have my Authorization rule in MAB policy to be one of the Top rules as well.

 

Is there anything immediate you guys would think of why it would not work?

I appreciate any input on this matter as I am sure quite few of you have encountered this as well.

 

Labels:
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎02-10-2022 02:50 PM

Interesting (and annoying too). Thanks for raising this. I haven't had the unfortunate pleasure of dealing with this myself - probably just a matter of time. So your experience is valuable.

I would like to know what traffic (if any) a docking station would send if there was no endpoint attached to it (docked/USB plugged in). 

 

Perhaps the trick is to use user authentication in the supplicant (workstations are Windows?) to trigger a network authentication when the user reconnects to the dock. It also depends in what state the workstation is in when it re-connects

1) powered off - needs to be power on - in that case if machine authentication is configured then it should be ok

2) powered on (still logged in) - if only machine auth configured then there should be no network auth - not sure, but I think if user auth were configured, then the supplicant may send a network auth and then get the user back into the 802.1X cycle

3) powered on (logged out) - when user logs in then no network event unless user auth is configured in the supplicant.

 

I would be interested to know if changing the supplicant to user&computer auth would help at all.  The main idea is to make the workstation more "chatty" by talking EAP whenever technically possible.

0 Helpful

AigarsK
Level 1
Level 1
In response to Arne Bier

‎02-10-2022 03:11 PM - edited ‎02-10-2022 03:11 PM

Thanks for the reply.

There would be no traffic sent by dock, it is just interface which is not connected to device, and this causes switch rightly so to age out the MAC from TCAM after default 300 seconds against the port it was connected.

Port however stays in UP/UP state, as docking station is still powered on. It does not have any traffic to send as expected.

This above state causes Old Session to remain active for duration of re-authentication timer. Once it expires, swhich tries to get new session and asks client which no longer is there, to provide its authentication over 802.1x, as there is no one to respond, switch uses old sessions MAC address and tries to match it against any MAB policies on Cisco ISE.

Have not had a chance to test this more in details, but suspect that this could even allow for session to become security hole, where unauthorized device could be connected to the docking station which had still old session in authorized state.

Have seen this is two places, one were using Humanscale docks  and another one using Phillips Monitor built in docks.

Both were on 9300 and both were part of SDA deployment.

I have started rollout of Authorization profiles with Radius Idle Timeout (Radius Attribute 28) set to one hour. This will clean up failures on docks which are in active use, but due to small user population being in office, I still have some desks with docks which have not been used for month and more which are generating failure every minute without any clients attached to dock nor MAC being preset on ports.

Will grab some example show commands tomorrow.

AigarsK
Level 1
Level 1
In response to Arne Bier

‎02-11-2022 01:52 AM

For information, I do not believe that this affects any certain versions of ISE this is why my original post did not state it.

I have seen this now on ISE 2.4 various patch levels, ISE 2.7 with various patch levels. It has been witnessed on Cisco 3650 and Cisco 9300. IOS-XE versions from 16.9.2s. More than likely other switch platforms as well.

Here are show commands of one port I focused on today (Some are extracts):

 

show int GigabitEthernet6/0/25
GigabitEthernet6/0/25 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 308b.b206.a319 (bia 308b.b206.a319)
Description: LAN Access Ports
MTU 9100 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
86 packets input, 18969 bytes, 0 no buffer
Received 86 broadcasts (42 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 42 multicast, 0 pause input
0 input packets with dribble condition detected
813893 packets output, 139078124 bytes, 0 underruns
Output 0 broadcasts (0 multicasts)
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

 

show mac add int GigabitEthernet6/0/25
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

 

show auth sessions interface GigabitEthernet6/0/25 details
Interface: GigabitEthernet6/0/25
IIF-ID: 0x157B571E
MAC Address: 1865.717f.f975
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 1865717ff975
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: 60s, Remaining: 9s
Common Session ID: 5101640A00003511B19A3374
Acct Session ID: Unknown
Handle: 0xc80002ad
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB


Server Policies:


Method status list:
Method State
dot1x Stopped
mab Stopped

 

I performed packet capture on GigabitEthernet6/0/25 and confirmed that there is no traffic originating from it. When Restart Timeout reached zero, I was able to see EAP messages with Request for Identity, there were 4 reties to sent and then EAP failure was sent.

As expected MAB method started next which received Default Authorization rule and was issued Access-Reject.

Process would of course restart. This in my environment due to Dot1X timeout tx-period and Dot1X max-reauth-req configuration on port would generate Authentication Failure every 4 seconds for one host.

 

This morning I ended up implementing MAB Authorization rule which has condition Radius:User-Name Starts With 186571 and configured it to receive Authorization profile which places it in VLAN 1 (I am not using automation and did not want new VLAN created). I also attached dACL for both IPV4 and IPV6 which denies all traffic and of course Radius Idle Timeout (Radius Attribute 28) which I configured for 5 minutes. I have also attached SGT to it so that I can put in further assurances that if someone was to connect unauthorized devices, they would not be able to break out from this network state.

This allowed for session to be Authenticated on MAB, and after 5 minutes session cleared.

 

Considerations:

• If you are using my approach of matching condition Radius:User-Name Starts With, this will require that you create new Authorization Rule for each OUI of docking stations in your environment. This option would consume Base license for duration of 5 minutes

• If you were to take Profiling approach, then note that there might be inaccurate device type reporting in Cisco ISE, as profiling Certainty would require to be set high and it might not transition back to Workstations or Windows machines. This would also consume both Base and Plus license

Do not use this Authorization Profile as replacement for your Default Rule! This will potentially cause situations where you have devices attached to network which have internal switch with multiple devices chained under one port, from which only one is getting Authentication and subsequent Authorization Profile. This could lead to switch trying to apply different VLAN's and SGT to same port in DATA domain and lead to issues with connectivity to one device you care about.

 

Again, I leave this here for anyone to correct me if I have made wrong assumptions. I have not posted port config, but can assure you that DOT1X and MAB policies are in line with Default (IBNS 2.0) what Cisco DNA pushes to switches for enabling SDA. And from my Lab environment, it affects your regular non policy based switch port configuration as well.

0 Helpful
Customers Also Viewed These Support Documents