Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
20
Helpful
10
Replies

Getting VLANs in the RADIUS access-requests without IBNS 2 or MAB

Nadav
Level 7
Level 7

‎01-31-2020 09:45 AM

Hi all,

 

Using IOS-XE you can send vlan information in the Tunnel-Private-Group-ID attribute, but that means having to convert configuration to IBNS 2. Apparently this can also be done when using MAB authentication.

 

My question is this:  Can it be done without IBNS 2 and without MAB?  (Purely for 802.1x)

0 Helpful
10 Replies 10

Damien Miller
VIP Alumni
VIP Alumni

‎01-31-2020 10:17 AM - edited ‎01-31-2020 10:17 AM

Dynamic vlan does work with traditional 802.1x (ibns 1.0) or C3PL ibns 2.0 configs. I have used dvlan with ibns 1.0 for a number of years.

This older guide covers it with the traditional 802.1x configs.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-8021x-vlan-assign.pdf

Specifically this section and it is handled the same way with ibns 1.0 or 2.0. The challenge is always the endpoint when you change a vlan if the client has an IP already. The endpoint doesn't know the vlan changed, it doesn't know it needs to renew it's IP.

"You must assign the following vendor-specific tunnel attributes in the RADIUS server database. The RADIUS server must return these attributes to the device:

IEEE 802.1X VLAN Assignment
Specifying an Authorized VLAN in the RADIUS Server Database
• [64] Tunnel-Type = VLAN
• [65] Tunnel-Medium-Type = 802
• [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value “VLAN” (type 13). Attribute [65] must contain the value “802” (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1X-authenticated user"

0 Helpful

Nadav
Level 7
Level 7
In response to Damien Miller

‎01-31-2020 10:24 AM

Thanks for the response,

 

I'm not looking to use dynamic vlans. I'm interested in the VLAN of the access port for the ISE RADIUS policy. I can't get the attribute to be sent so that I can decide whether to permit or deny access on that static VLAN assignment.

0 Helpful

Arne Bier
VIP
VIP
In response to Nadav

‎02-01-2020 08:07 PM

@Nadav - your question is rather confusing - sorry,  don't really know what you're after. IOS-XE does NOT mandate that you use IBNS at all. You can stay old school if you wish. In my experience you can use the age old commands on newer IOS-XE switches and all works well. Cisco would like us to move to IBNS (and using 3CPL) but it's not mandatory.

 

If you simply return an Access-Accept (without any mention of VLAN), then the IOS switch port config will be used that is currently configured on the interface. If you're using port templates, then it will be the config as seen with the command 

show derived-config interface blah/blah

Nadav
Level 7
Level 7
In response to Arne Bier

‎02-02-2020 01:13 AM

Hi,

 

I'll elaborate on the question with an example.

 

A workstation has connected to an access switch which performs 802.1x authentication via ISE. I would like the access vlan (pre-configured on the switch, not dynamic) to be sent in the access-request via RADIUS. This is in order to reach a policy based decision on the access-vlan.

 

For example, workstation connects to port Gi1/0/2. My RADIUS policy in ISE would treat it differently if the access vlan on that port is 2000 or 2010. 

 

This can be done today via the following commands (which automatically migrate all configuration to IBNS 2):

access-session attributes filter-list CUSTOM

  vlan-id

access-session authentication attributes filter-spec include list CUSTOM

I don't want this option, since I'd prefer not to go the IBNS route for my authentication configuration. I've confirmed this behavior on Cat9300 switches which prompt that applying these commands must irreversibly migrate the configuration to IBNS .

 

Another option that exists is via MAB, such as this:

mab request format attribute 32 vlan access-vlan

I don't wish to use MAB but rather 802.1x, so it's irrelevant.

 

This document gives examples of these use cases and others:

https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189 

 

Since the previous two options are unacceptable, I'd like to know whether or not there is a third option which doesn't require IBNS or MAB and that can be performed on 802.1x enabled interfaces.

0 Helpful

Arne Bier
VIP
VIP
In response to Nadav

‎02-04-2020 03:40 AM

Oh I see. That's interesting. You want the port based authentication REQUEST to contain a hint to ISE in the form of an attribute that contains the VLAN of the access port on which the authentication is currently in progress.  Your examples already show how to do that using IBNS - but you don't want IBNS. I get it now.  I don't know of any non-IBNS way of doing this, while performing 802.1X

 

It looks like you have done a lot of research on this. Essentially what you need is this ... if it exists - I guess you have tried already?

dot1x request format attribute 32 vlan access-vlan

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Arne Bier

‎02-04-2020 01:57 PM

Another option would be using the SNMP Query probe to gather the VLAN ID on the switchport via Profiling. You could then create policy that leverages the VLAN attribute based on custom Profiling Policies. This should even work for legacy switches that do not support IBNS 2.0.

See the ISE Profiling Design Guide for more info

 

Cheers,

Greg

 

Nadav
Level 7
Level 7
In response to Arne Bier

‎02-04-2020 11:49 PM

Oddly enough that doesn't send anything, as confirmed by packet capture.
Might be a bug, might be not implemented on this platform.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Nadav

‎02-05-2020 02:04 PM

It looks like the switch platform needs to support the CISCO-VLAN-GROUP-MIB in order to provide the VLAN information to ISE via the SNMP Query Probe.

You might want to have a look at the MIB support list for your platform on the MIB Locator page to confirm if it supports this MIB. If it does support the MIB, you might want to open a TAC case to investigate further.

 

Cheers,

Greg

Nadav
Level 7
Level 7
In response to Greg Gibbs

‎02-06-2020 01:59 AM

Thanks, that's some interesting information. Apparently the Cat 9k doesn't support it, which is very odd since these are the cutting edge platforms for the edge and this information would be most relevant for the edge.

 

I was hoping not having to go into creating profiling rules and using up Plus licenses just for this. 

 

As for the CISCO-VLAN-GROUP-MIB, is that also necessary for the RADIUS attribute to be sent along with the access-request during 802.1x authentication? Perhaps that's why it's not being sent?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Nadav

‎02-06-2020 01:10 PM

The MIB would only affect SNMP-based functions, so it would not be related to getting the VLAN info directly via RADIUS. Legacy IBNS uses the Auth Manager process, whereas IBNS 2.0 uses the newer Access Session Manager. Sending the VLAN was never a function of the Auth Manager process, so using the Access Session Manager (via IBNS 2.0; with the respective minimum IOS-XE code) is required.

As a note, IBNS 2.0 is the recommended option for switches that support it. If you are using (or plan to use) a Low-Impact Mode deployment, IBNS 2.0 implements a crucial enhancement for Critical VLAN. This was never a feature of Legacy IBNS and the only option was to use EEM scripts to attempt a similar function. Because the EEM scripts are based on logs, this did not consistently work in the vast majority of large production environments.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents