cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
5
Helpful
20
Replies

Internet Access Only for Critical Vlan IBNS2.0 dot1x

Mukesh-Kumar
Level 1
Level 1

I am seeking help to configure Internet access only for new devices connecting to the network.  Here is the Critical Vlan configured in IBNS2.0 

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication

#show access-session interface gigabitEthernet 1/0/17 details
Interface: GigabitEthernet1/0/17
IIF-ID: 0x10BF7CA6
MAC Address: fc5c.xxxx.yyyy
IPv6 Address: Unknown
IPv4 Address: 172.37.88.18
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 82396s
Common Session ID: D6581EAC00005FDBE56E7581
Acct Session ID: 0x00000e5b
Handle: 0xbb000451
Current Policy: IBNS2.0_DOT1XMAB_Policy


Local Policies:
Service Template: CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 595
Service Template: CRITICAL_AUTH_VLAN (priority 150)

#show service-template CRITICAL_AUTH_VLAN
Name : CRITICAL_AUTH_VLAN
Description : NONE
VLAN : 696
VNID : NONE
MDNS POLICY : NONE

show service-template CRITICAL_VOICE_TEMPLATE
Name : CRITICAL_VOICE_TEMPLATE
Description : NONE
VLAN : 595
VNID : NONE
Voice Vlan : yes
MDNS POLICY : NONE

  @Arne Bier @MHM Cisco World 

 

1 Accepted Solution

Accepted Solutions

This is a bit difficult to follow as the VLANs referenced in the latest information are different than those from the earlier discussions.

Your service-template CRITICAL_VOICE_TEMPLATE shows a VLAN of 3289. Where does this VLAN come from and why is it different from the voice vlan configured on the switchport (3288)?
The CRITICAL_VOICE_TEMPLATE should simply be authorizing a phone on the preconfigured voice VLAN for the switchport. With the RADIUS servers unreachable, the phone should learn the voice VLAN from CDP and tag it's traffic on that VLAN. The switch would then authorize the traffic on that VLAN (in the voice domain) for the phone when in the critical state without requiring authorization from the RADIUS server.

As per the ISE Secure Wired Access Prescriptive Deployment Guide, the validated and recommended configuration for the class within this event is:

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 clear-authenticated-data-hosts-on-port
   20 activate service-template CRITICAL_AUTH_ACCESS
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize
   50 pause reauthentication

I would suggest basing your configuration off of the examples in that guide.

View solution in original post

20 Replies 20

Mukesh-Kumar
Level 1
Level 1

During the testing I am able to connect to Internet and Internet both.      How to confirm , which vlan gets assigned while radius servers are not available and restrict to Internet only for new devices getting connected to the network during that time.

@Mukesh-Kumar your output confirms the service template CRITICAL_AUTH_VLAN is assigned when ISE is unavailable, which appears to assign VLAN 696.

To restrict access when ISE is down, create an Critical ACL to permit internet access (http, https and dns) and reference this under the CRITICAL_AUTH_VLAN service template.

service-template CRITICAL_AUTH_VLAN 
  vlan XXX
  access-group <ACL NAME>

There is an example in the Cisco ISE wired prescriptive guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-37997926

 

Thank you very much @Rob Ingram  for your quick support .    We have specifically created the vlan 696 for Internet purpose only , and piped to the switch.   I will look into Critical ACL as well and get back to you. 

Hello @Rob Ingram  While connecting to the same test switch, with only that particular vlan,  I have access to Internet Only.

However, when dot1x is configured and radius servers get blocked,  same vlan (Critical vlan) is assigned and I am able to access all (Intranet) besides Internet.      

The Vlan is created for only Internet purpose. Somehow, I am getting access to internal resources while IBNS2.0 .    

@Mukesh-Kumar

Just assigning the user to the VLAN is not going to restrict access.

Did you configure the critical ACL and does it get applied when RADIUS is down?

What is the syntax of the ACL?

 

Hello Rob @Rob Ingram 

I have not created/configured Critical ACL .  But I will configure and get back to you. 

Further, my earlier post,  I was saying that Critical VLAN has only access to Internet and I checked configuring access port as below and I verified that I was able to access only Internet.     However, I will configure Critical ACL and update .

Current configuration : 109 bytes
!
interface GigabitEthernet1/0/45
description Critical VLAN 1000 Testing
switchport access vlan 696

The Critical ACL is mainly used to override any restrictive pre-auth ACL configured on the switchport in the event that connectivity to all RADIUS servers is down (like in a Low Impact Mode stage). The Critical ACL would provide more permissive access in that Critical state.

In the Critical state, are you seeing the MAC address of the endpoint (show mac address-table interface <intf>) associated with the correct VLAN (696)? If so, then the Critical VLAN function is doing it's job.

If that's the case, my guess would be some sort of routing or route-leaking issue that's allowing the connectivity from that VLAN. You would need to look at the end to end flow and maybe using tracing tools to see how the connectivity is happening.

Ideally, the Critical VLAN would be associated with a separate VRF to segment it from the rest of the corporate network. That VRF would properly segment and route the traffic to a firewall or other secure path to provide only internet access.
VLANs alone are not a suitable segmentation mechanism in this day and age.

Hello @Greg Gibbs @Rob Ingram @PradeepSingh 

Here is the output of the interface and I see both voice vlan and data vlan, when the radius servers are Not available. It appears to me that Critical vlan is getting assigned to the interface.  Please note that there is only computer and no phone attached to the interface. However, as per Critical Vlan template both data and voice vlans are getting assigned.

#show mac address-table interface gigabitEthernet 1/0/17
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
696 fc5c.eeb2.f5a9 STATIC Gi1/0/17
595 fc5c.eeb2.f5a9 STATIC Gi1/0/17
Total Mac Addresses for this criterion: 2

Mukesh-Kumar
Level 1
Level 1

Here is the authentication status , while radius servers are not available.

#show access-session interface gigabitEthernet 1/0/17 details
Interface: GigabitEthernet1/0/17
IIF-ID: 0x10BF7CA6
MAC Address: fc5c.xxxx.yyyy
IPv6 Address: Unknown
IPv4 Address: 172.37.88.18
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 82396s
Common Session ID: D6581EAC00005FDBE56E7581
Acct Session ID: 0x00000e5b
Handle: 0xbb000451
Current Policy: IBNS2.0_DOT1XMAB_Policy


Local Policies:
Service Template: CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 595
Service Template: CRITICAL_AUTH_VLAN (priority 150)

PradeepSingh
Level 1
Level 1

Do you want to assign 'internet only' vlan to new clients being connected to network when Radius server are unavailable  ?

Yes, and that is the vlan, we created and assigned in the CRITICAL_AUTH_VLAN.  Vlan 696 is created for having internet access only.   I think Critical Access list need not be created as already Vlan 696 is created for the purpose.

PradeepSingh
Level 1
Level 1

Hi @Mukesh-Kumar  looks like critical vlan is not being assigned and endpoint is still part of production vlan. If you see the output of "show access-session interface gigabitEthernet 1/0/17 details"  Vlan id is not mentioned for critical vlan but it is mentioned for voice vlan. Only service template name is defined (Although I am not sure as it is long I have played with this). As @Greg Gibbs mentioned can you verify mac address table for vlan 696 on this switch and specifically for the interface which you are using for testing ?

PradeepSingh
Level 1
Level 1

Hi @Mukesh-Kumar can you please share output of "sh derived-config interface GigabitEthernet1/0/17"

@PradeepSingh I will provide you.