ibns 2.0 vlan-id in access-requests

andrewswanson · ‎05-27-2022

Hi

I'm looking at an ibns 2 802.1x policy on Catalyst 3650 (ver 16.09.08) with ISE 2.7 patch 7. The switch setup should send the 802.1x client's vlan id to ISE (in the access-request during authentication) so that it can be used in an authorization condition.

I've got this working ok and can use the sent RADIUS attribute Tunnel-Private-Group-ID for authorisation. The problem I'm having is that ISE doesn't display this Tunnel-Private-Group-ID under "other attributes" in the authentication detail report. It does display the Tunnel-Type and Tunnel-Medium-Type attributes (see below) but not Tunnel-Private-Group-ID.

Tunnel-Type (tag=1) VLAN
Tunnel-Type (tag=2) VLAN
Tunnel-Medium-Type (tag=1) 802
Tunnel-Medium-Type (tag=2) 802

Has anyone come across this before? As I said, the method works ok but I can't see the actual Tunnel-Private-Group-ID in the authentication reports which makes testing/monitoring a bit difficult.

Thanks
Andy

Arne Bier · ‎05-29-2022

Hi @andrewswanson

Just clarifying what exactly you're looking for (in the absence of any screenshots)

When clicking on the Details of a successful Authentication, I can't see the VLAN ID listed in the "Authentication Details" part of the page, but further down the page I can see the RADIUS Attributes that are returned to the NAS - and VLAN is one of them

Or did you mean the reports under Operations > Reports >Reports > Endpoints and Users > RADIUS Authentications ?

I don't see the VLAN (Tunnel-Private-Group-ID) listed there either - at best, I can see the Authorization Rule listed there (which, you could name such that, the VLAN_ID is included in the name for easier reference - e.g. CORP_VL1101 or whatever)

andrewswanson · ‎05-30-2022

Thanks for the response Arne.

I see the screenshot below for detail of successful authentication.

The VLAN isn't listed as it is in your screenshot. I can see Tunnel-Type and Tunnel-Medium-Type (both appear twice for some reason). Switch (Cat3650 16.09.08) config for sending vlan-id in access request is:

access-session attributes filter-list list radius-vlan
vlan-id
access-session authentication attributes filter-spec include list radius-vlan

If I add dhcp to the filter-list I can see these attributes ok in ISE (2.7 patch 7). The switch is sending the vlan-id and I can use Tunnel-Private-Group-ID in authz policy - I just can't see it in the authentication details.

Thanks
Andy

hslai · ‎05-31-2022

Andy, it's curious to me that your endpoint authentication has two sets of VLANs. If possible, please let me know more about this endpoint.

Also, do you mean the RADIUS auth is not sending VLAN info until dhcp also added to the filter-list?

andrewswanson · ‎05-31-2022

Hi hslai

I see the 2 sets of vlans listed for all endpoints (windows 10 (802.1x), phones (MAB) etc).

The switch filter-list (with just vlan-id) does send the vlan-id but ISE displays the 2 sets of vlans with no Tunnel-Private-Group-ID. When I add dhcp to the filter-list, the dhcp attributes are displayed correctly on ISE.

I'm planning to do a packet capture today to see exactly what the switch is sending to ISE in the filter-list.

This behaviour is happening with all our 3650 stacks (16.9.4 and 16.9.8).

Thanks
Andy

andrewswanson · ‎06-01-2022

See below for screenshot of packet capture on switch showing the vlan avp sent in access request to ISE - client was on vlan 110 (name STAFF_LAPTOP) which can be seen in the access request.

I'll try this again with 16.12 on the switch to see if this is ios related - ISE was upgraded recently from 2.4 to 2.7 (upgrade was clean install with a restore)

Andy

andrewswanson · ‎06-01-2022

I'm having the same issue with 16.12.07. If I can find the time I'll contact TAC but its something I can live with for now.
Thanks
Andy