Re: Endpoint with AC NAM how to allow MAB

ariel_2795 · ‎04-14-2020

Hello,

I Have a question regrading anyconnect NAM.

ISE: 2.6 Patch 5

Endpoint: windows 10

Authentication : EAP-FAST Mahcine ( EAP-TLS ) User ( EAP-MSCHAPv2 ) with EAP-Chaining.

if for some reason the endpoint has an issue and i need to authenticate it using MAB, how can this be done?

I created a whitelist group ( mab group ) and i notice that the endpoint never fall to mab and keep tried to authenitcation using DOT1X.

Is there anything special that needs to be enabled on the NAM Profile Editor In addition to the settings I've already made?

( Both DOT1X and MAB are allowed on the port ).

Thanks.

Mike.Cifelli · ‎04-14-2020

Please share your full interface config. It seems that you may be missing some configuration:
dot1x timeout tx-period == Amount of seconds NAD waits before sending another request ID frame.
dot1x max-reauth-req == Number of times NAD will resend ID frames.
The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints. Endpoints without a supplicant must wait until 802.1X times out before getting network access via a fallback mechanism.
See here: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387273

ariel_2795 · ‎04-15-2020

Here is the config:

interface GigabitEthernet1/0/1
switchport access vlan 50
switchport mode access
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
!

ade5 · ‎04-14-2020

if your switch port is configured to failover to mab it should go to mab.

Can you see in the switch port that it's trying dot1x then going mab ?

ariel_2795 · ‎04-15-2020

The switch said Dot1x Running for about 21 seconds and then it fall to mab but then immediately return to Dot1x ( after 1 second).

I Configured this endpoint to fail on DOT1X on purpose to see if it fall on MAB, but it never gets network connection.

Mike.Cifelli · ‎04-15-2020

You could attempt to change the order to mab, dot1x, but leave dot1x with a higher priority. If you change the order so that mab comes before dot1x authentication and change the default priority so that dot1x authentication precedes mab, then every device in the network will still be subject to mab, but devices that pass mab can subsequently go through dot1x authentication. Another mechanism you may see/run into is #authentication event fail action next-method. However, Cisco documentation says to only enable when using webauth.
See here: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
*If the next method is not local WebAuth, the only option for granting access after IEEE 802.1X authentication failure is the auth-fail VLAN* -from that link. HTH!

ariel_2795 · ‎04-15-2020

I really don't want to change the order or the priority as most of the devices are DOT1X and it's more secure to start with DOT1X anyway.

Is it possible it's got something to do with the Network Access Profile Editor?

Damien Miller · ‎04-15-2020

I had this working with a customer on older ibns 1.0 config, leveraging order dot1x mab, priority mab dot1x. There is also a setting in the nam profile to allow port exceptions, if eap fails how it is handled allowing traffic before eap successfully has completed etc. It would be beneficial to check the nam profile, if port exceptions aren't in use test them out and see.

Mike.Cifelli · ‎04-16-2020

May not be a bad idea to open a TAC case then as well and submit DART bundle. That and/or take a look at some debugs:
debug dot1x all
debug authentication all
debug radius
debug aaa authentication (debug for authentication)