Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
10
Helpful
3
Replies

CPL Updates for IBNS 2.0 Document

paul
Level 10
Level 10

‎07-06-2018 06:44 AM

Is IBNS 2.0 supposed to be the most current reference on how to do CPL configuration for ISE deployments?  If so there needs to be some updates.  Currently the document uses this syntax to capture MAB and Dot1x failures:

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

The Dot1x only works if ISE rejects the Dot1x authentication.  If the client rejects the ISE certificate and goes quite that is a Dot1x timeout that the above doesn't catch.  Also in the client simply sends out an EAPol start to kick the switch to Dot1x and sends nothing else the above won't catch that failure either. 

The correct coding for this should be:

class-map type control subscriber match-all MAB_FAILED

match method mab

no-match result-type method dot1x success

!

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

That should cover any failure scenarios for MAB or Dot1x. 

Not sure who maintains that document or it should be referenced any more, but I think that is the most current document out there detailing CPL.

0 Helpful
3 Replies 3

howon
Cisco Employee
Cisco Employee

‎07-06-2018 07:28 AM

Hi, Paul. Please check out the new guide: Cisco ISE Wired Access Deployment Guide

Also, where are seeing the out dated information?

0 Helpful

paul
Level 10
Level 10
In response to howon

‎07-06-2018 08:13 AM

Even that has similar class maps that have a whole in them:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

!

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

You could replace all 3 of those with:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

And it covers all failure scenarios. The above 3 would not handle a device sending out an EAPol start and nothing else. That is a unique failure. I ran into this at a hospital that has radiology equipment running on XP SP1 and 2 that has wired authentication enabled by default but just enough to kick the switch out of MAB to Dot1x. The switch would never fail back to MAB using the IBNS 2.0 class maps or the ones in the new guide. I was able to simulate this failure scenario by using Wireshark to capture an EAPol start from my test laptop and then using PlayCap to replay just that frame onto the wire. The switch would kick over to Dot1x and never fail back to MAB. In closed mode that means no access. In open mode with no preauth ACL (which we never use) that means you defeated the authentication scheme. Switching to:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

Fixes all that and basically tells the switch I don’t care what the Dot1x failure was just switch back to MAB.

kvenkata1
Cisco Employee
Cisco Employee
In response to paul

‎07-10-2018 08:33 AM

Hi Paul,

Thanks for your note. After validation, we'll get the document updated.

- Krish

Customers Also Viewed These Support Documents