Dot1x fail vlan doesn't work

leofalconi · ‎01-29-2018

Hi community,

I have to implement in my company the Dot1x for the wired.

As supplicant we use Anyconnect software, as authenticator WS-C3560-24PS with IPservices 12.2(58)SE2 and as authentication server Cisco ISE v.2.3.

- - - - - - - -

The scenario is a Multi Domain with Cisco IP Phone and client; the Cisco IP Phone have to be authenticated by MAB while the Client with AnyConnect Dot1x (with domain credentials and a pre-uploaded profile during the installation).

The Cisco ISE reads the AD tree.

- - - - - - - -

My targets are easy:

1) The Cisco IP Phone should be authenticate by MAB and put in a Voice VLAN.

2a) The client should have the possibility of authenticate itself before the Windows Login (to log in to the Domain Controller).

2b) The client should be authenticate by Dot1x if the credentials of domain inserted are right.

It should be inserted in a VLAN decided by Cisco ISE (DVLAN).

3) If the client inserts for 3 times wrong credentials, it must be put in a fallback vlan.

4) If the client doesn't have a supplicant Dot1x, it must be put in a fallback vlan.

- - - - - - - - - - - - - - -- - - - - - -

Now all works except the fallback Vlan (with windows native dot1x client works, but with anyconnect few times).

I poste my configuration on the switch:

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

aaa server radius dynamic-author
client x.x.x.x server-key xxxx

ip device tracking

interface FastEthernet0/21
switchport mode access
switchport voice vlan 3
authentication event fail retry 1 action authorize vlan 69
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 1
spanning-tree portfast

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key x.x.x.x
radius-server vsa send accounting
radius-server vsa send authentication

- - - - - - - - - - - - - - -- - - - - - -

I have also attached two screenshot from Cisco ISE.

Many thanks.

Ben Walters · ‎01-29-2018

You are quite close, you need to look at your authorization policies instead of your authentication policies.

It looks like from what you have if a client can't authenticate you reject their access, but what I think you want to have happen is that if a client can't authenticate, send them on to the authorization policy which will assign the correct VLAN now that we know the client is not properly authenticated.

What do your authorization policies look like? You could essentially have a default policy that says if a client fails authentication for any reason put them in the fallback VLAN.

leofalconi · ‎01-30-2018

Yes,

the correct flow should be this:

- the client put the right username/password of domain? Go in a Corporate VLAN.

- the client out the wrong usename/password for three times? Go in a FallBack VLAN (Only Internet Access).

- the client doesn't have a supplicant dot1x? Go in a FallBack VLAN (Only Internet Access).

Now I'm handling the VLAN fallback from the switch but with anyconnect I have some problems.

authentication event fail retry 3 action authorize vlan 69

How could I handle this configuration from ISE? Is it possible define in the default Authorization Policy the counter 3?

Many thanks.