Dot1x and mab sequence error causing delayed login for Win10 machines

steffenhansen93 · ‎12-09-2021

Hi

I'm running a bunch of 9200L switches (16.12) in an ISE deployment(2.7). The Win10 company machines uses machine certs to validate via dot1x. The switch ports has a default port template with the corp vlan 30 as access. If a non corp device like non corp PCs, printers etc. gets connected to a switch, it will auth via mab and ISE will change the switch port template to a "guest template" and send a RADIUS vlan change, putting the port in the guest vlan 200.

My problem occurs when a corp PC connects and booting up. The switch tries to validate dot1x, but it seems the corp PC is not ready yet so it fallbacks to mab resulting in the guest port template and RADIUS vlan change is put on the interface. shortly after, the corp PC is ready for EAP-TLS so the switch reauth the PC and ISE then assign the default port template again with the cop vlan 30. This short change in vlans really messes with the corp PCs as they then thinks they're still on the guest vlan, causing AlwaysOn VPN and other stuff to act up. Takes a couple of minutes for them to realize the're on corp vlan.

I believe the easiest way to solve this is to force dot1x for several seconds, waiting for the corp PC to be ready for EAP-TLS. If a printer or other non corp devices connects, they would have to wait out the dot1x timeout before the switch initiates mab auth. However I cannot figure out the right config to make it work

Here is my config:

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
5 terminate mab
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 terminate dot1x
30 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!

template ISE_DEFAULT
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
switchport access vlan 30
switchport mode access
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X-DEFAULT
description ** ISE ** DEFAULT **

!

template ISE_GUEST
switchport mode access
load-interval 30
description ** ISE ** GUEST **

!
interface GigabitEthernet1/0/1
source template ISE_DEFAULT
________________________________________________________________________________________

I have also tried the following config. Dot1x is now forced but now mab does not initiate at all

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative (also tried match result-type method dot1x method-timeout)

!
policy-map type control subscriber DOT1X-TEST
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 1 priority 10
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 1 priority 10
event authentication-failure match-all
10 class DOT1X-FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class AAA-DOWN do-all
10 authorize
20 terminate dot1x
30 terminate mab
event authorization-failure match-first
10 class DOT1X-FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
!

template ISE_TEST
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
switchport access vlan 30
switchport mode access
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X-TEST
description ** ISE TEST ** DEFAULT **
!

Greg Gibbs · ‎12-09-2021

The IBNS 2.0 policy constructs (class-map, policy-map, etc) used in the ISE Secure Wired Access Prescriptive Deployment Guide are all leveraging this type of 'sequential auth' model. I would suggest basing your configuration on those validated configurations.

Peter Koltl · ‎12-11-2021

10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

This starts dot1x and MAB simultaneously, remove 20.

use

retries 10 and tx-timeout 10 which allows 100 (110?) seconds for dot1x attempts

steffenhansen93 · ‎12-13-2021

Hi Peter

But if I remove 20 authenticate using mab priority 20, mab never starts after failing dot1x. As you can see in me 2nd config example I tried this and hoped mab would start with the event authentication-failure match-all. However it does not..

thomas · ‎12-13-2021

We do not recommend doing VLAN changes for the reasons you have explained and more.

Even current Windows supplicants can experience problems as you have shown.

Besides following the best practices in ISE Secure Wired Access Prescriptive Deployment Guide as @Greg Gibbs suggested, you may need to extend your 802.X timeouts to account for your long Windows boot times. Maybe 10 seconds is too short and you need to try 15 seconds per attempt. You don't say how long the boot times are.