Solved: FlexConnect AP, ISE and NEAT

Tymofii Dmytrenko · ‎12-26-2017

I've finished configuring FlexConnect AP's authentication and authorization using Cisco ISE and NEAT feature, which converts access port into trunk. However, I've noticed this is really a ONE time process.

You can argue and tell me that if I unplug authenticated AP, port will be converted back to access with dot1x enabled. It is indeed true, but only up the point when you save and reload the switch. For some unknown reason, switch doesn't keep original 'access' configuration and saves config applied by itself using template.

I tested it on old 3750 and new 3850 (3.7.5E) and behavior is the same.

This makes the whole concept non practical.

Has anyone faced the same problem?

I need to make sure that AP is authenticated even after config is saved and switch is reloaded...

Cisco should improve the feature by IGNORING trunk configuration when configuration is saved. It really has to save original port config (with access config).

Thanks all

Guillaume BARBEROT · ‎04-11-2018

hi
just wanted to point out the newly published document that encourage to use interface template instead of NEAT for this use case
https://communities.cisco.com/docs/DOC-77476
regards,
guillaume

View solution in original post

hslai · ‎02-16-2019

Check out the newer guide ISE Secure Wired Access Prescriptive Deployment Guide > NEAT with Interface Templates

PS: Please start your own thread and reference the old one(s) but avoid re-surrent a thread inactive for months.

View solution in original post

Tymofii Dmytrenko · ‎12-26-2017

Also, to make it even less practical I've noticed the following

Once AP authenticates, its session appears on ISE. However, due to the above (switchport becomes trunk) reauthentication does not happen and ISE removes session from its DB after session's timeout.

To summarize, AP authenticates, ISE shows this session for up to 3600s (default) and then this session disappears and AP's AAA session is not known to ISE anymore.

JAKUB CHYTRACEK · ‎03-26-2018

Hello,
could confirm to me that you are using the same configuration as it described in this Cisco guide https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html ?

Thanks
Jakub

Tymofii Dmytrenko · ‎03-28-2018

Yes, it's pretty much what I did

The key point here is that port is configured as access, but with bits of trunk configuration - in particular allowed vlans. The following happens then:

AP is connected to the port, using access mode, which is vital for 802.1x to kick off
Switch starts dot1x and EAP exchange begins
After successful authentication ISE pushes the config bit, but key point here is NEAT feature.
Once switch receives NEAT instructions for the session it will convert the port into TRUNK mode (including spanning tree config); access vlan becomes trunk's native VLAN.
Voila, you AP is now authenticated and can receive IP address over native VLAN and connect to WLC

The problem here is the following

If you save config on a switch after port is converted into NEAT this port will stay in trunk after reboot and will never use 802.1x to authenticate AP behind it
If you disconnect AP without rebooting the switch, session will be reset and access config re-applied (clean up). However, as stated above, once port is converted into trunk ISE will keep a track of this session for a duration of session timeout and after that it will delete the session. Can't remember 100% what happens to the switchport config, but as far as I remember it stays in a trunk mode.\

Although a nice feature, but looks a bit unfinished. IMO switch should keep track of NEAT related configuration and shouldn't save it when write mem is executed.

Octavian Szolga · ‎03-28-2018

Hi,

To me it doesn't seem the 'true' NEAT configuration.

Compare the flexconnect AP + ISE article with this one - https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

NEAT was initially developed for switches that would be placed on a meeting table so that physical security is hard to implement and anyone can replace that switch with its own, thus having access to any VLAN (if trunk is configured and no supplicant-switch to authenticator-switch thing happens).

What I would do is just use/test macros on the switch that are triggered by ISE, as in this post:

https://supportforums.cisco.com/t5/lan-switching-and-routing/auto-smartport-macro-execution-via-cisco-acs/td-p/2906681

I've done it in the past for some other reason and don't remember having issues with it.

Regards,

Octavian

Guillaume BARBEROT · ‎04-11-2018

hi
just wanted to point out the newly published document that encourage to use interface template instead of NEAT for this use case
https://communities.cisco.com/docs/DOC-77476
regards,
guillaume

Tymofii Dmytrenko · ‎04-11-2018

I had a brief overview and it's exactly what I am trying to do. I will try it in lab and let you know. Anyway, thanks for sharing.

Tymofii Dmytrenko · ‎04-12-2018

I tested this yesterday and can confirm it works as described. However, I've noticed two things so far...

a) It takes roughly 10 minutes for my AP to move into the right VLAN (or appear in WLC as connected) once template is assigned

b) I think I am hitting bug on Denali 16.3.5b. Template is assigned OK post authentication. And is removed OK if I disconnect AP, or shut the port. However, once I reconnect AP dot1x process fails and I get "%SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client Conditions:". Only reboot helps. But, again, once any port goes via shut/unshut session manager stucks. TAC case then

neil.woodhouse · ‎01-30-2019

Using an ISE applied interface template to configure the port as a trunk as discussed in https://communities.cisco.com/docs/DOC-77476 works reasonably well (on a Cat9300 ver16.6.4a) however the document recommends setting the port as Muli-Host mode which isn't particularly desirable.

I did think I could set the port to multi-auth or multi-domain and then have the template overwrite this with multi-host if an AP authenticates, however with this configuration the switchport gets stuck in a loop continually authenticating the port and then dropping the session.

Interface / Template Config and log below

interface TenGigabitEthernet1/0/47
description ** ISE Authentciated LAN Access Port **
switchport access vlan 999
switchport mode access
switchport voice vlan 1183
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber PORT-AUTH-POLICY

template ISE_FLEX_AP
spanning-tree portfast trunk
switchport trunk native vlan 1106
switchport trunk allowed vlan 1106,1123
switchport mode trunk
switchport nonegotiate
access-session host-mode multi-host

*Jan 30 2019 23:03:30.173 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001DEA100CA7D
*Jan 30 2019 23:03:30.199 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001DEA100CA7D
*Jan 30 2019 23:03:30.785 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001DFA100CCE1
*Jan 30 2019 23:03:30.810 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001DFA100CCE1
*Jan 30 2019 23:03:30.859 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E0A100CD2B
*Jan 30 2019 23:03:30.884 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E0A100CD2B
*Jan 30 2019 23:03:31.793 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E1A100D0D1
*Jan 30 2019 23:03:31.819 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E1A100D0D1
*Jan 30 2019 23:03:33.887 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E2A100D8FF
*Jan 30 2019 23:03:33.912 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E2A100D8FF
*Jan 30 2019 23:03:36.167 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E3A100E1E7
*Jan 30 2019 23:03:36.193 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E3A100E1E7
*Jan 30 2019 23:03:37.973 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E4A100E8F5
*Jan 30 2019 23:03:37.998 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E4A100E8F5
*Jan 30 2019 23:03:47.560 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E5A1010E68
*Jan 30 2019 23:03:47.587 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E5A1010E68
*Jan 30 2019 23:03:48.503 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E6A1011216
*Jan 30 2019 23:03:48.529 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E6A1011216
*Jan 30 2019 23:03:49.517 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E7A101160C
*Jan 30 2019 23:03:49.542 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E7A101160C
*Jan 30 2019 23:03:51.167 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E8A1011C7E
*Jan 30 2019 23:03:51.192 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E8A1011C7E
*Jan 30 2019 23:03:51.616 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E9A1011E40
*Jan 30 2019 23:03:51.642 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001E9A1011E40
*Jan 30 2019 23:03:52.330 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001EAA101210A
*Jan 30 2019 23:03:52.386 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001EAA101210A
*Jan 30 2019 23:03:55.672 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001EBA1012E18
*Jan 30 2019 23:03:55.698 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001EBA1012E18
*Jan 30 2019 23:03:56.648 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: smd: Starting 'dot1x' for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001ECA10131E7
*Jan 30 2019 23:03:56.675 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: smd: Authorization succeeded for client (7872.5D3F.912C) on Interface TenGigabitEthernet1/0/47 AuditSessionID 26A01FAC000001ECA10131E7

hslai · ‎02-16-2019

Check out the newer guide ISE Secure Wired Access Prescriptive Deployment Guide > NEAT with Interface Templates

PS: Please start your own thread and reference the old one(s) but avoid re-surrent a thread inactive for months.