Solved: Dot1x/RADIUS server failure

awinslade · ‎12-06-2019

Hi

Im looking for conformation of the default behavior of DOT1x in the event that no authentication servers are available and equally can this be controlled.

I am mid deployment and testing and expect that my customer will require the network to permit some basic connectivity in the even that the radius server is unavailable.

for the removal of doubt this is not when authentication is rejected (fails) but when the authentication process fails.

Thanks in advance

PS this is for a 9300 using this type of config

policy-map type control subscriber DOT1X-POL
event session-started match-all
10 class always do-until-failure
   10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using webauth parameter-map WEBAUTH_FALLBACK priority 30
30 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 terminate webauth
   40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
   10 terminate mab
   20 terminate webauth
   30 authenticate using dot1x priority 10

andrewswanson · ‎12-09-2019

Hi

A few things I've come across with critical authentication are:

The AAA_SVR_DOWN_UNAUTHD_HOST ibns 2 class is matched by policy if ISE is unavailable and the client is unauthorised (as you would expect)
The AAA_SVR_DOWN_AUTHD_HOST ibns 2 class is matched by policy if ISE is unavailable and the authenticated client's periodic reauthentication timer has expired (ie periodic authentication has to be configured for this class to be matched)
When using TrustSec for authorisation, cts environment data (SGTs and SGACLs downloaded from ISE) will eventually expire (default is 24 hours) and be deleted from the switch (3ks don't support caching and cts environment data is volatile - it won't survive a reload. I'm not sure if the 9ks support caching). I have periodic reauthentication enabled (timer set by ISE) to reauthenticate all clients before the cts environment data expires.

hth
Andy

View solution in original post

Mike.Cifelli · ‎12-06-2019

I am mid deployment and testing and expect that my customer will require the network to permit some basic connectivity in the even that the radius server is unavailable.
for the removal of doubt this is not when authentication is rejected (fails) but when the authentication process fails.

-I assume you mean when the auth process fails due to the NAD identifying the AAA servers are dead, and not when dot1x fails and falls back to mab. If so, my suggestion would be to implement a separate class-map in your pmap that essentially pauses reauth, and authorizes your clients into your 'critical' vlan via activation of a service-template. The separate service template would include authz information such as vlan, sgt, etc. You will also need an event further down that will trigger when the NAD determines the AAA servers are alive. Could look something along the lines of this:

Make it sequence 30 after attempting match first on flexauth options.
30 class ISE_Server_Down do-until-failure
10 active service-template Critical_Temp
20 authorize
30 pause reauthentication

class-map type control subscriber match-all ISE_Server_Down
match authz-status authz
match result-type aaa-timeout

service-template Critical_Temp
vlan XXXX
sgt 3

event aaa-avail match-all
10 class If_Critical_VLAN do-until-fail
10 clear-session

class-map type control subscriber match-all If_Critical_VLAN
match activated-service-template Critical_Temp

I would check out config guides, and test tweaks in a lab prior to any implementation. Hopefully this helps you out on your journey.

awinslade · ‎10-15-2020

HI

I have implemented something very similar to your suggestion and I am successfully assigning a vlan and acl to the port on AAA failure

what does no see to be working is the process of when the AAA server recovers

I have this as the event

event aaa-available match-first
10 class IN_AAA_Down_ST do-until-failure
10 clear-session

class-map type control subscriber match-all IN_AAA_Down_ST
match activated-service-template AAA_Down

service-template AAA_Down
access-group AAA_DOWN_ACL_DATA
vlan 999

show policy-map type control subscriber detail

Event: event aaa-available match-first
Class-map: 10 class IN_AAA_Down_ST do-until-failure
Action: 10 clear-session
Executed:0

Thoughts?

Andy

andrewswanson · ‎10-15-2020

Hi

What does the output of "show aaa servers" show when your aaa server transitions from dead to alive? Do you see "State: current UP" and "Platform State from SMD: current UP"?

Andy

awinslade · ‎10-15-2020

sh aaa servers

RADIUS: id 1, priority 1, host 10.10.10.5, auth-port 1812, acct-port 1813
State: current UP, duration 4661s, previous duration 0s

Arne Bier · ‎12-08-2019

IBNS 2.0 can be tricky - I am not an expert but I am cobbling together bits and pieces:

see below - you need to match two separate cases

Port not yet authorized and then AAA dies:

class AAA_SVR_DOWN_UNAUTHD_HOST

Port already authorized and then AAA dies:

class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

see below

policy-map type control subscriber PORT-AUTH-POLICY-I
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab priority 10
 event authentication-failure match-first
  10 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
  20 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  30 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 clear-authenticated-data-hosts-on-port
   20 activate service-template CRITICAL_AUTH_ACCESS
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize
   50 pause reauthentication
  40 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  50 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 activate service-template CRITICAL_AUTH_ACCESS
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize
   50 pause reauthentication
  70 class always do-until-failure
   10 terminate dot1x
   15 terminate mab
   20 activate service-template CRITICAL_AUTH_ACCESS
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize
   50 pause reauthentication
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

andrewswanson · ‎12-09-2019

Hi

A few things I've come across with critical authentication are:

The AAA_SVR_DOWN_UNAUTHD_HOST ibns 2 class is matched by policy if ISE is unavailable and the client is unauthorised (as you would expect)
The AAA_SVR_DOWN_AUTHD_HOST ibns 2 class is matched by policy if ISE is unavailable and the authenticated client's periodic reauthentication timer has expired (ie periodic authentication has to be configured for this class to be matched)
When using TrustSec for authorisation, cts environment data (SGTs and SGACLs downloaded from ISE) will eventually expire (default is 24 hours) and be deleted from the switch (3ks don't support caching and cts environment data is volatile - it won't survive a reload. I'm not sure if the 9ks support caching). I have periodic reauthentication enabled (timer set by ISE) to reauthenticate all clients before the cts environment data expires.

hth
Andy