Endpoints moving from dot1x to MAB.

David Harrell · ‎07-27-2020

Hello all,

I hope you can help with this issue. I am seeing an issue with several endpoints and NADs, where the endpoint status in ISE doesn't match the endpoint status on the NAD.

Here's the status of a Windows endpoint that hangs off a 7945G from the NAD perspective:

JC.WDP.HOUSE.9200#sh access-session int g1/0/27 det
Interface: GigabitEthernet1/0/27
IIF-ID: 0x1B4514C1
MAC Address: 001d.7060.b708
IPv6 Address: fe80::21d:70ff:fe60:b708
IPv4 Address: 10.2.134.112
User-Name: CP-7945G-SEP001D7060B708
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: 3600s (local), Remaining: 3587s
Timeout action: Reauthenticate
Acct update timeout: 172800s (local), Remaining: 172787s
Common Session ID: 0ACA020A000025769202DA2B
Acct Session ID: 0x00002fbe
Handle: 0xe500058a
Current Policy: Dot1x-CoJC

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Session-Timeout: 7200 sec

Method status list:
Method State
dot1x Authc Success

----------------------------------------

Interface: GigabitEthernet1/0/27
IIF-ID: 0x10EEAD4F
MAC Address: 6400.6a87.1775
IPv6 Address: Unknown
IPv4 Address: 10.2.34.209
User-Name: JAMESELLIS-D
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: 3600s (local), Remaining: 3583s
Timeout action: Reauthenticate
Acct update timeout: 172800s (local), Remaining: 172783s
Common Session ID: 0ACA020A000025759202A7A7
Acct Session ID: 0x00002fbd
Handle: 0xc20004e2
Current Policy: Dot1x-CoJC

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Session-Timeout: 7200 sec

Method status list:
Method State
dot1x Authc Success

ISE currently has this Windows endpoint as hitting the default policy. We are still in monitor mode, and our default is a permit. If I bounce the port, the endpoint will authenticate and authorize via Dot1X. A couple of hours later, it will be back to the default policy, via MAB. I see this happening at several locations, so I am suspecting it is an issue with my NAD config, or my ISE config.

Here's what my NAD config looks like:

aaa new-model
!
!
aaa group server radius JC-ISE
server name JC-ISE2
server name JC-ISE1
ip radius source-interface Vlan200
!
aaa group server tacacs+ ISE
server name JC-ISE1
server name JC-ISE2
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication dot1x default group JC-ISE
aaa authorization exec default local group tacacs+
aaa authorization network default group JC-ISE
aaa authorization network auth-list group JC-ISE
aaa authorization auth-proxy default group JC-ISE
aaa authorization configuration default group JC-ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group JC-ISE
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group JC-ISE

policy-map type control subscriber Dot1x-CoJC
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
5 class Dot1x_Failed do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA-Down_UnAuth_Host do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template Critical_Access
30 activate service-template Critical_Voice
40 authorize
50 pause reauthentication
20 class AAA-Down_Auth_Host do-until-failure
10 pause reauthentication
20 authorize
30 class Dot1x_No-Resp do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_Failed do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event aaa-available match-all
10 class Critical_Auth do-until-failure
10 clear-session
20 class NOT_Critical_Auth do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!

template Port-Dot1x-CoJC
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 234
switchport mode access
switchport nonegotiate
switchport voice vlan 334
mab
access-session host-mode multi-domain
access-session port-control auto
authentication periodic
service-policy type control subscriber Dot1x-CoJC
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
description ** Endpoint **
ip dhcp snooping limit rate 10

interface GigabitEthernet1/0/27
device-tracking attach-policy IP-Tracking
source template Port-Dot1x-CoJC
end

Our desktop group has verified that the endpoint has a power policy that prevents it from going into sleep mode. I would estimate 10-12% of our desktops are suffering from this issue.

Colby LeMaire · ‎07-28-2020

The configuration looks fine. It seems as though the PC is going to sleep or not receiving the EAPOL frames from the switch when the session timeout hits. PC isn't responding to 802.1x authentication attempts so it times out and goes to MAB.

I know you said that there is a GPO to prevent the machines from going to sleep, but sometimes GPO's fail to apply to the machines properly for a number of reasons. When this happens, can you call the user or physically visit the machine to ensure it is not sleeping? If it is awake, then maybe the EAPOL frames aren't being passed by the phone.

When this happens, what does the switchport show? Authenticated via MAB? What happens if you were to just do a "clear access-session interface gx/y"? Does that then trigger it to work? Or just the port-bounce?

netadmin cojc · ‎07-29-2020

David Harrell · ‎07-29-2020

Thanks for the reply. Yes, the port shows as MAB instead of Dot1x, and the username has changed to the MAC of the workstation.

Interface: GigabitEthernet1/0/27
IIF-ID: 0x1347829A
MAC Address: 6400.6a87.1775
IPv6 Address: Unknown
IPv4 Address: 10.2.34.209
User-Name: 64-00-6A-87-17-75
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: 3600s (local), Remaining: 2037s
Timeout action: Reauthenticate
Acct update timeout: 172800s (local), Remaining: 167608s
Common Session ID: 0ACA020A0000270F9AE1581F
Acct Session ID: 0x000032af
Handle: 0x4000071d
Current Policy: Dot1x-CoJC

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Session-Timeout: 3600 sec

Method status list:
Method State
dot1x Stopped
mab Authc Success

I've asked our VoIP engineer to check the phone loads, as there is a bug that seems to cause this issue (CSCsz59661). That is from 2018, and I think we are running a newer load on our phones than what is listed in the CSC. I'm not much of a VoIP tech, so I'm going to let the VoIP engineer double check for me.

Clearing the access-session doesn't appear to be enough to get the workstation to authenticate via dot1x. It authenticates again with MAB, and the MAC is shown as the username.

::EDIT:: I attempted a clear access-session on another switch, that the workstation had moved to MAB, and is also behind a 7945G. This time the workstation correctly moved back to dot1x. I think I may spend the day searching for a workstation that is moving to MAB, that does not tether from a 7945.