This could be due to the dead

Looi Siew Key · ‎08-22-2016

Hi All,

I facing an issue during endpoint is trying to run posture, the endpoint is in posture unknown state.

For HQ site, posture is running well without any issue. For Branch A switch, all configuration exactly the same with HQ switch. (Supplicant as AnyConnect 4.3).

Working fine in HQ, even the switch port configured as blocking mode. (without authentication open)

When the port set as "authentication open" posture can run, auth session shows "Authorized".

When the port set without "authentication open", set in blocking mode. The auth session shows "Unauthorized".

Configuration for switch port as below;

interface GigabitEthernet1/0/18
switchport mode access
ip access-group Default_ACL in
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
spanning-tree bpduguard enable
end
!

ip access-list extended Default_ACL

permit udp any eq bootpc any eq bootps

permit ip any <Server group>

permit icmp any any

permit ip any host <ISE PSN IP>

deny ip any any

show auth session int gi 1/0/18 de

Interface: GigabitEthernet1/0/18
IIF-ID: 0x102CB4000000F4B
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xxx.xxx.xxx.202
User-Name: username.example.com
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID:
Acct Session ID: Unknown
Handle: 0x63000D1C
Current Policy: POLICY_Gi1/0/18
Blocked On: User Profile Application - apply user profile (1)

Ryan Wolfe · ‎09-19-2016

Hello,

This could be because the authorization parameters being pushed from ISE to the client session are not valid on the switch. This will normally result in an "authorization failed" message on the switch.

Please check that any parameters are valid (VLANs match, DACLs have correct syntax, redirect ACLs are correctly referenced, etc.)

You can also enable "epm logging" from the global config to get some more readable logging that may indicate an authorization policy failure more precisely.

Please let me know if that helps,

Ryan

Looi Siew Key · ‎09-19-2016

Hi Ryan,

Thanks for your reply.

Yes we did check all the DACL and ACL in the switch which is working correctly and similar with HQ switch. We found out new issue that branch switch having radius alive and dead message prompt continuously, but not sure what is the issue which cause radius drop.

Ryan Wolfe · ‎09-20-2016

This could be due to the dead timer. Could you share you RADIUS configurations? I'm specifically looking for the deadtime configuration (which may just be using the default).

If you add "authentication event server dead action authorize vlan <vlan_number>" to the port, it should authorize the port for that VLAN if it attempts to authenticate and the server is seen as DEAD. The show auth session output at that time should so "Critical authorization is in effect for domains DATA [and VOICE]." If this is the case, it is likely related to the server's flapping between alive/dead. Otherwise, it could be something else.

Please share you RADIUS configuration from the global configuration. Depending on the switch model / code version, you should be able to do "show run | section aaa" and "show run | section radius" to get this simply.

Looi Siew Key · ‎05-02-2017

Hi Ryan,

Thanks for your update. Sorry for late reply, we got find out the root cause which causing "Port Unauth state" in switchport authentication.

There was VPN fragmentation between HQ and Branch, so we set the route-map into router to disable/enlarge the size of fragment during VPN sent to branch. This because branch switch download DACL from ISE unsuccessfully.

Dot1x session - Port Unauth state (C2960)