07-25-2018 11:06 AM
Hi. I am testing out an IBNS 2.0 config on a 3850 switch running 03.06.04.E. Overall this is working great, but I am having one small issue with critical auth.
If I simulate an "all radius servers dead" situation, criticial auth basically works as expected. Show access-session int shows the correct Service Templates applied, and the client is allowed, I can ping it.
The annoying issue is that the Anyconnect (4.5.02036) NAM module continues to show "Authenticating" for exactly 2 minutes after authorization is complete. (I have no idea what happens at 2 minutes.)
I have configured "dot1x critical eapol" which should be taking care of this. The switch should send a "fake" auth success message to tell the client auth was successful.
I ran a debug and see this message:
009440: Jul 24 17:02:11.084 GMT: dot1x-ev:[34e6.d717.c550, Gi1/0/47] No CannedSuccess for auth-fail as Bypass is disabled.
I assume "CannedSuccess" is the fake auth success message, but I don't know what "bypass is disabled" means, or why Anyconnect goes to "connected" after exactly 2 minutes.
Here is the relevant section of my policy:
policy-map type control subscriber MY_NAC_POLICY
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template MY_CRITICAL_AUTH
30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
40 authorize
50 pause reauthentication
The MY_CRITICAL_AUTH template looks like this:
service-template MY_CRITICAL_AUTH
description <<< Access Policy for Critical Auth (ISE Down) >>>
access-group TCH_CRITICAL_AUTH
Any ideas appreciated, thank you.
07-27-2018 01:05 PM
You can look at Anyconnect logs by creating a report or looking at NAM services logs that are part of Windows logs to see if NAM is just waiting for switch to send back or not.
If you determine if switch sends a canned message to supplicant, make sure you configure supplicant behavior appropriately by using Anyconnect NAM profile editor.
-Krishnan
07-28-2018 08:46 AM
You might have hit some bug in Cisco IOS platform, such as CSCus40723 and CSCvc86691.
I would suggest you to try a Cisco IOS release with the fixes or engage Cisco TAC support to troubleshoot further.
07-30-2018 08:26 AM
Just a quick update, I determined why NAM goes to authenticated after 2 minutes. Since it is not receiving a success message, it retries per its configured timers. After those expire, it assumes there is no authenticator present and goes to "Connected." The default timers are
authPeriod: 30
startPeriod: 30
maxStart: 3
3 x 30 + 30 = 120 seconds or 2 minutes. I can predictably affect the time until "connected" by changing these timers.
So the root problem is still that the switch is not sending the "fake" Auth Success message. I'm off to TAC for help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide