Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
7
Replies

Client getting network access before Authentication

Go to solution
nithinrs78901
Level 1
Level 1

‎11-25-2018 08:49 AM

Hi Guys

Please help me to overcome one general issue from ISE  Side. when we put ‘authentication open’ command in port configuration, all the endpoints are getting full access in the network in a certain period.

But we remove this command from port ,then Cisco IPphonesare not getting IP. We confirmed IP phones are getting authenticated and authorized in ISE.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nithinrs78901
Level 1
Level 1
In response to nithinrs78901

‎12-03-2018 08:24 AM

Hi Team,

 

I got a solution to overcome this issue.

 

I had removed 'authentication open' command from the port and added 'dot1x critical eapol' in global configuration.

with this changes , initial access was denyed and also IPPhones getting IP.

Thanks for your support 

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-25-2018 09:01 AM

Authentication open command will allow unrestricted Layer 2 access to the network even before any authentication has succeeded.

 

If ISE is authenticating and authorizing properly, then you need to check on the switch. Check the output of "show authentication session interface <>"

 

Have you configured dynamic authorization on switch?

0 Helpful

Go to solution
nithinrs78901
Level 1
Level 1
In response to pan

‎11-26-2018 04:41 AM

Hi Pan,

 

thanks for your reply.Yes we had configured dynamic authorization on switch.

Plaese Find the sessin details from the siwth and port configuration

ACCESS-SW-01#sh authentication sessions interface GigabitEthernet2/0/43
            Interface:  GigabitEthernet2/0/43
          MAC Address:  0021.55d4.xxxx
           IP Address:  192.18.69.39
            User-Name:  00-21-55-D4-xx-xx
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC12FA6500005BD3671A05BC
      Acct Session ID:  0x000063B8
               Handle:  0xED0005DE

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

 

interface GigabitEthernet2/0/43
 description *****Connected to Users*****
 switchport access vlan 107
 switchport mode access
 switchport voice vlan 269
 ip access-group ACL-ALLOW in
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 storm-control broadcast level 10.00
 storm-control multicast level 20.00
 storm-control action shutdown
 storm-control action trap
 spanning-tree portfast
end

 

 

Looking forward for your response

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to nithinrs78901

‎11-26-2018 04:52 AM

Change the order authentication order dot1x mab to authentication order mab dot1x do shut no shut

 

Then search for the mac address of the ip phone in live logs and check if there is anything failing there?

 

Share the output of "sh authentication sessions interface GigabitEthernet2/0/43" again.

 

What have you configured in "ip access-group ACL-ALLOW in" remove is and check.

0 Helpful

Go to solution
Martin Kling
Level 1
Level 1
In response to nithinrs78901

‎11-26-2018 05:01 AM - edited ‎11-26-2018 05:13 AM

Hi

You are using dot1x and then MAB with a tx period of 10 seconds. This will require 30 seconds before MAB occurs. How long is the DHCP time out on the phones? There are two alternatives to test/correct the issue; lower the tx-period or reverse dot1x/MAB sequence. To start I would lower the tx period to 6 seconds which is a setting that is working out in several different environments.

interface GigabitEthernet2/0/43

 dot1x timeout tx-period 6

 //Martin

 

CCIE #36669 (Security)
Cisco Fire Jumper
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Martin Kling

‎11-26-2018 05:10 AM

I agree with Martin in trying to lower the tx-period first.  In all my closed mode installs I have never had to reverse the order to "mab dot1x".  There are ramifications to reversing the order.  If you do order "mab dot1x" first you are requiring the OS to initiate Dot1x.  Some OS versions (Macs are an example) are only responders to Dot1x. 

0 Helpful

Go to solution
nithinrs78901
Level 1
Level 1
In response to paul

‎11-26-2018 08:58 AM

Sure,I will do these changes and update you.

0 Helpful

Go to solution
nithinrs78901
Level 1
Level 1
In response to nithinrs78901

‎12-03-2018 08:24 AM

Hi Team,

 

I got a solution to overcome this issue.

 

I had removed 'authentication open' command from the port and added 'dot1x critical eapol' in global configuration.

with this changes , initial access was denyed and also IPPhones getting IP.

Thanks for your support 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents