cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

328
Views
5
Helpful
3
Replies
Highlighted
Beginner

dot1x critical eapol not working on 3850 with IBNS 2.0 configuration

Hi. I am testing out an IBNS 2.0 config on a 3850 switch running 03.06.04.E. Overall this is working great, but I am having one small issue with critical auth. 

 

If I simulate an "all radius servers dead" situation, criticial auth basically works as expected. Show access-session int shows the correct Service Templates applied, and the client is allowed, I can ping it.

 

The annoying issue is that the Anyconnect (4.5.02036) NAM module continues to show "Authenticating" for exactly 2 minutes after authorization is complete. (I have no idea what happens at 2 minutes.)

 

I have configured "dot1x critical eapol" which should be taking care of this. The switch should send a "fake" auth success message to tell the client auth was successful.

 

I ran a debug and see this message:

009440: Jul 24 17:02:11.084 GMT: dot1x-ev:[34e6.d717.c550, Gi1/0/47] No CannedSuccess for auth-fail as Bypass is disabled.

 

I assume "CannedSuccess" is the fake auth success message, but I don't know what "bypass is disabled" means, or why Anyconnect goes to "connected" after exactly 2 minutes.

 

Here is the relevant section of my policy:

policy-map type control subscriber MY_NAC_POLICY
  event authentication-failure match-first
   10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
    10 clear-authenticated-data-hosts-on-port
    20 activate service-template MY_CRITICAL_AUTH
    30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
    40 authorize
    50 pause reauthentication

 

The MY_CRITICAL_AUTH template looks like this:

service-template MY_CRITICAL_AUTH
  description <<< Access Policy for Critical Auth (ISE Down) >>>
  access-group TCH_CRITICAL_AUTH

 

Any ideas appreciated, thank you.

3 REPLIES 3
Highlighted
Cisco Employee

You can look at Anyconnect logs by creating a report or looking at NAM services logs that are part of Windows logs to see if NAM is just waiting for switch to send back or not.

If you determine if switch sends a canned message to supplicant, make sure you configure supplicant behavior appropriately by using Anyconnect NAM profile editor.

 

-Krishnan

Highlighted
Cisco Employee

You might have hit some bug in Cisco IOS platform, such as CSCus40723 and CSCvc86691.

I would suggest you to try a Cisco IOS release with the fixes or engage Cisco TAC support to troubleshoot further.

Highlighted
Beginner

Just a quick update, I determined why NAM goes to authenticated after 2 minutes. Since it is not receiving a success message, it retries per its configured timers. After those expire, it assumes there is no authenticator present and goes to "Connected." The default timers are

  authPeriod: 30

  startPeriod: 30

  maxStart: 3

 

3 x 30 + 30 = 120 seconds or 2 minutes. I can predictably affect the time until "connected" by changing these timers.

 

So the root problem is still that the switch is not sending the "fake" Auth Success message. I'm off to TAC for help.