cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
63489
Views
146
Helpful
30
Replies

CPL Template MAB/Dot1x Simultaneously

paul
Level 10
Level 10

One of the advantages of using the CPL (IBNS 2.0) style template is you have the option to run MAB and Dot1x simultaneously.  This means closed mode is not as detrimental to MAB devices or you can do VLAN moves in open mode without the worry of devices getting an IP on the original VLAN. 

 

I have had Cisco Advanced Services tell some of my customers "We don't recommend doing MAB and Dot1x at the same time because we have seen issue."  I like generic descriptions like that.  When I had the customer press AS for what issues, the only thing they came back with is that is adds extra load to ISE.  Yes there is extra load because all Dot1x sessions will have a MAB authentication, but I have deployments doing 100k+ active authentications doing all CPL switch templates with no issues. 

 

I am just checking to see if others are running MAB and Dot1x simultaneously and what their experience has been.  Our standard is to run them simultaneously at our customers and we haven't had a reason to change it.

30 Replies 30

howon
Cisco Employee
Cisco Employee

Paul, thanks for the data points. Will let you know of any findings.

Hi Paul,

 

I am facing the issue with CPL, its always prefer to MAB and not performing Dot1x. I want to authorize my AD user . but i am unable to do dot1x authentication and authorization. Could you please help, where I am doing wrong.

current config on switch:

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
ip access-list extended ACL-ALLOW
permit ip any any
!
service-template CRITICAL
access-group ACL-ALLOW
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!

interface range g2/0/24
switchport host
switchport access vlan 100
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
!

Logs from ISE:-

My Authorization Profile is fine, its Access_Accept there. Moreover, If I am sending Radius packet from switch then  its authenticating and authorized: Test aaa group radius usename@ad.com Password new-code

User successfully authenticated

USER ATTRIBUTES

username 0 "username@ad.com"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"

Event5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root causeSelected Authorization Profile contains ACCESS_REJECT attribute

 

Steps happening in this process: 

 

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15041Evaluating Identity Policy
 15048Queried PIP
 15013Selected Identity Source - Internal Endpoints
 24209Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A
 24211Found Endpoint in Internal Endpoints IDStore
 22037Authentication Passed
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - 00:50:56:5D:D5:2A
 24325Resolving identity
 24313Search for matching accounts at join point
 24318No matching account found in forest
 24322Identity resolution detected no matching account
 24352Identity resolution failed
 24412User not found in Active Directory
 15048Queried PIP
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 11003Returned RADIUS Access-Reject
 5449Endpoint failed authentication of the same scenario several times and was rejected
 5434Endpoint conducted several failed authentications of the same scenario

I am also using simultaneous dot1x and MAB - ever since it was advertised from the 2015 Cisco Live IBNS2 presentation, and I also see no issues with this. In our case MAB is always faster than EAP-TLS but our policy gives dot1x higher priority so always takes over the MAB result immediately. ISE correctly shows both authentications as separate - why wouldn't it?? i have seem no evidence to the claims above. 

 

Having said that we have had no end of issues with IBNS2 on various platforms since 3560X/4500E-Sup8 and now onto 9300 with 16.x. When I first started logging cases with TAC there was almost ZERO TAC knowledge and it was incredibly frustrating. We had one issue where windows machines kept falling to Unauthorized after reauthentication and I ended up just dropping it as the support was so poor.

 

Several years on and we are still refining our policy but do not have inactivity timers or reauthentication working properly so they are disabled. The inactivity probes seem to have broken in 16.x and not fixed. 

 

Paul are you able to share any details of your policies? I would be interested to see how you handle reauthentication. Ideally once a host has authenticated with 802.1x we shouldn't need to reauthenticate with both MAB and dot1x.

Paul, in your reply you had posted the following snippet:

event session-started match-all
 10 class always do-all
  10 authenticate using dot1x priority 10
  20 authenticate using mab priority 20

In the solution I'm testing, I had:

 event session-started match-all
  20 class always do-until-failure
   10 authenticate using mab priority 20
   20 authenticate using dot1x priority 10

I'm attempting to understand the subtleties of these two pieces of code, and I would appreciate any feedback.

1) For the class statement, the number used as the priority doesin matter, because the class is the only class in the event.

2) In the class statement, "do-all" means do each of these things once, but "do-until-failure" means what, exactly?  How does it tie in with the various timers and retries for both methods?  Does one make more sense than the other?  "do-all" vs "do-until-failure"?

3) Incide the class clause, there are two statements (10, and 20), I'm guessing the numbers relate to the ORDER in which the two methods are attempted (similar to the deprecated "authentication order" command), so your example is basically "authentication order dot1x mab", and mine is "authentication order mab dot1x".

4) in both your example and mine, the pre IBNS equivalent is "authentication priority dot1x mab"

5) later in my example, I also have:

 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10

I altered the priority of the dot1x method in the MAB_FAILED clause to match that of the previous session-started caluse, not really sure it matters, but it looks consistent.

fitzie I found an answer to at least point 2 of your post here: http://www.network-node.com/blog/2017/10/7/ise-c3pl-switch-configuration

 

10 class always do-all <- Matches everything after a session starts and do all the actions
10 authenticate using dot1x priority 10 <- Action is to authenticate using dot1x with a priority of 10
20 authenticate using mab priority 20 <- Action is to authenticate using MAB with priority of 20 - making it a lower priority than a successful dot1x authentication if both were to pass authentication.

You switched the ORDER

Yours

10 class always do-all
 10 authenticate using dot1x priority 10
 20 authenticate using mab priority 20 

Mine:

10 class always do-all
 10 authenticate using mab priority 20     /* (higher ORDER - 10, lower PRIORITY - 20)
 20 authenticate using dot1x priority 10   /* (lower ORDER - 20, higher PRIORITY - 10)

I want MAB to process first, but stop immediately if a dot1x supplicant is detected.  I believe yours will always process dot1x first, and that is a problem for some of my phones.

I would add that Meraki has an option for hybrid auth and explains that this option sends both mab and dot1x at the same time.  If the BU isn't supporting this, you need to talk to the Meraki team about removing the hybrid auth option.  I have done a lot of testing an noticed the mab request always lands on ISE first as the switch is negotiating dot1x with the client, I have not been able to reproduce any issues on ISE when doing MAB/Dot1x at the same time.  I have played with decreasing dot1x timer's to replicate this but be more in line with what Cisco supports.  Setting dot1x timer tx-period 3 and the retry to 1 or even tx-period to 1 and retry to 1 allows the fail over to mab to work quickly.  I use the event agent-found to re-start dot1x if we failed and mab succeeded.

 

event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
 event authentication-failure match-first
  10 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20

event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10

 

This should provide the same result as running them both at the same time and takes care of clients that are not ready to answer the switch eapol start at boot time.

Hello Chris

unless u've intentionally didnt show full config of "class always" shouldnt it look similar to below for the concurrent .1x&mab authen? specifically it's about appearance of 2 "authenticate" statements one for each method?

10 class always do-until-failure
   10 authenticate using mab aaa authc-list PSN-FOR-MAB authz-list PSN-FOR-MAB priority 20
   20 authenticate using dot1x aaa authc-list PSN-FOR-DOT1X authz-list PSN-FOR-DOT1X priority 10

I don't have all my config in the post but the config you posted up is the issue with this entire post.  Cisco say sending dot1x and mab at the same time is not supported and Cisco ISE is designed to drop the session when multiple auths are seen at the same time from the same session.  To get the benefits of sending both at the same time where we don't see issues around time out's my suggestion is to set the dot1x timeout tx-period to 1 or 3 and the retries to 1.  In the policy we run dot1x only, but on a dot1x fail we then run mab.  This configuration has worked well and allows computers that are in boot time and being woken up from a sleep timer to correctly join the network as well as mab device to never time out on dhcp request.

 

I was doing what you have below, except normally the aaa auth dot1x default meets my requirements so I don't add a specified method to the policy map action, but it's doing the exact same thing.  I really find it useful in the lab where we have both ClearPass and ISE running and can utilize that approach to use both.  I have a few policy-maps and port templates that I use based on customer requirements and some of them run mab and dot1x at the same time, and I have never ever had an issue but as Cisco say's ISE doesn't support it an alternative method to accomplish the same thing is provided in my previous post.

Hello, Is the concurrent MAB + DOT1X now supported and if so, from which ISE version?

hi
it's not afaik, but read this article Concurrent MAB/Dot1x Again - Cisco Community to understand topic deeper. 
i learnt from it that you either have to avoid endpoint suppression by multiple failures or use crafted AccessAccept as default rule in Wired MAB
Good luck

fitzie
Level 1
Level 1

Maybe I'm missing spmething.  The statement to not run MAB and 802.1x exclusively might be something I'm misinterpreting.

 

In our network, we've been running gazillions of devices, each of which run either MAB or 802.1X authentication.  The most common MAB devices are printers and AVAYA VoIP phones.  The vast majority or our PCs are running 802.1x.  We have both Macs and PCs, so we utilize EAP/TLS.

 

We've attempted to standardize our access ports, so that there is but one official configuration for an access port. Pre IBNS (say v3.7.4E), we used following for most ports

interface gi1/0/1
decsription generic 802.1x enabled access port
switchport access vlan 10
switchport mode access
switchport voice vlan1 110
authentication event fail action next-method authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout tx-period 10 no mdix auto spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 20

Oftentimes, a phone would be plugged into a switch port, and a PC would be plugged into the phone.  Things worked reasonably well, but we had an issue with one particular model of Avaya phone, which would often have issues booting whenever we moved the device.  As long as it could get the same IP address, it was fine, but repovision it off of an other switch, and it would never complete it's configuration.

 

With the introduction of first IBNS when we upgraded to 16.3.7, and later C3PL when we upgraded to 16.6.6, we're finding that these same phones simple will not boot, even when they are not moved.

 

In playing around with some of the auto-generated policy-maps that were generated in the 16.6.6 upgrade, we started with the following policy map:

policy-map type control subscriber DOT1X-MAB
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x retries 5 retry-time 0 priority 10
 event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  20 class MAB_FAILED do-until-failure
   10 terminate mab
  30 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class AAA-DOWN do-all
   10 authorize
   20 activate service-template CRITICAL
   30 terminate dot1x
   40 terminate mab
  50 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 300
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 5 retry-time 0 priority 10

This seemed to work well, but we found out otherwise when we upgraded a switch that had a lot of this particular model of phone.  A coworker made soem changes and came up with the following policy-map:

policy-map type control subscriber MAB-DOT1X
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab priority 10
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 20
  40 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
 event agent-found match-all
  10 class DOT1X_MEDIUM_PRIO do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 20
 event aaa-available match-all
  10 class IN_CRITICAL_VLAN do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_VLAN do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all

This policy-map seems to work with some preliminary testing, but I don't see that the priorities are correct, so I've tweaked it a bit:

policy-map type control subscriber MAB-TEST
 event session-started match-all
  20 class always do-until-failure
   10 authenticate using mab priority 20
   20 authenticate using dot1x priority 10
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
  40 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
 event agent-found match-all
  10 class DOT1X_HIGH_PRIO do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_VLAN do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_VLAN do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all

The changes are subtle. I explicitly added dot1x to the class always do-until-failure clause, and elevated the priority of dot1x to be higher (10) than that of mab (20).

 

I also reduced the priority of mab from 10 to 20 in the class MAB_FAILED do-until-failure clause.

 

I'm not 100% on either of the policy-maps, but in my mind, the MAB-TEST one seems more complete.  Testing will continue. If anybody is a whiz at these newfangled uses of policy-maps, I would appreciate any feedback.

 

We have six PSNs, arranged in two mode groups, and we're servicing around 25K endpoints.  We don't have an issue with load balancing.  Looking at an F5 solution, but hardcoding a batch-size of 1800 seems to work for us.

Don't get me started on the docs that state that a batch-size greater than 25 is considered large.  The field takes a value in the range of 1-2,147,483,647 (2**32)-1.

 

In any case, I think ISE performs just fine.  My issue is with these particular Avaya handsets, which I'm stuck with for the time being, with no support.  My wish is to have one port configuration that handles both MAB devices and 802.1x PCs, without subjecting the PC users to a lengthy delay when powering up/authenticating for the day.

I'm believe my wish is to initiate MAB upon sensing a MAC address, but if the device has a 802.1x supplicant, I want to belay that and immediately start 802.1x processing.  It was easy to do before IBNS, and now there is a a more complicated global config, with the benefit of a slightly simpler interface config.

To clarify, running both a MAB and dot1x authentication at the same time for the same endpoint is the piece that is questionable on support.  Having both methods enabled on a port is 100% supported, it is the combined and joint kickoff of both that simultaneously refers to. 

With IBNS 1, you would specify either MAB or dot1x to start first, you can still do this in IBNS 2, but IBNS 2 can also be configured to run both concurrently for the same endpoint.  

See this
https://community.cisco.com/t5/network-access-control/cpl-template-mab-dot1x-simultaneously/td-p/3749539

Just to add a note for something I recently discovered... while Concurrent Auth is not technically understood or supported by ISE (as Hsing has confirmed), I have used it successfully in my lab and some customer environments with newer switching platforms (Cat 3650/3850 or newer).

I also found recently that a mechanism used to prevent reauthentications breaking FlexAuth (order mab dot1x, priority dot1x mab) in the Legacy IBNS framework also works to make the Concurrent Auth more efficient for dot1x-enabled endpoints. See this old Whitepaper for background:

Flexible Authentication Order, Priority, and Failed Authentication 

The behaviour of the typical Concurrent Auth config is similar to that of FlexAuth Case 2 in the above whitepaper (order MAB Dot1x, priority Dot1x MAB). When a reauth is triggered, the switch will try MAB first then Dot1x and the ISE logs will reflect that. If you add the Advanced Attribute Cisco av-pair stated in the footnote of the whitepaper (termination-action-modifier=1) to the AuthZ Profile used by your dot1x endpoints (like SOE PCs), when a reauth is triggered (does not apply to a new session by disconnect/reconnect) the switch will only try the last successful auth method (in this case, dot1x). This results in more efficient reauths and much fewer erroneous MAB sessions/logs.

I've tested this using a Cat9300 running 16.9.4 code, but it should also work with the Cat3650/3850 switches.

Example before:

Screen Shot 2020-02-25 at 6.27.10 pm.png

Example after:

Screen Shot 2020-02-26 at 7.47.21 am.png

Cheers,

Greg

For MAB/Dot1x to run simultaneously is Multi-Auth required vs Multi-Domain on the Switch port?

 

I'm seeing an enormous amount of through out our Enterprise:

Apr 10 12:10:10.095 PDT: %DOT1X-5-FAIL: Authentication failed for client (0018.7d14.5152) on Interface Gi5/37 
Apr 10 12:10:10.135 PDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/37, new MAC address (0018.7d14.5152)
Apr 10 12:10:11.119 PDT: %DOT1X-5-FAIL: Authentication failed for client (0018.7d13.7279) on Interface Gi5/34 A


I want to use multi-domain however this issue goes away when I use multi-auth.  I have a TAC case open but I feel like since Multi-Domain only allows 1 Data MAC/ 1 Voice MAC when both dot1x/mab are running its causing the security violation for the 2nd DATA MAC. I'm seeing this only on ports where MAB devices are connected, the 801.1x ports are solid. 

 

Yes I turnoff port-security so that not the reason for the violations:

no switchport port-security maximum 3
no switchport port-security violation restrict
no switchport port-security aging time 2
no switchport port-security aging type inactivity
no switchport port-security