Solved: Re: Internet Access Only for Critical Vlan IBNS2.0 dot1x - Page 2

Mukesh-Kumar · ‎07-24-2024

I am seeking help to configure Internet access only for new devices connecting to the network. Here is the Critical Vlan configured in IBNS2.0

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication

#show access-session interface gigabitEthernet 1/0/17 details
Interface: GigabitEthernet1/0/17
IIF-ID: 0x10BF7CA6
MAC Address: fc5c.xxxx.yyyy
IPv6 Address: Unknown
IPv4 Address: 172.37.88.18
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 82396s
Common Session ID: D6581EAC00005FDBE56E7581
Acct Session ID: 0x00000e5b
Handle: 0xbb000451
Current Policy: IBNS2.0_DOT1XMAB_Policy

Local Policies:
Service Template: CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 595
Service Template: CRITICAL_AUTH_VLAN (priority 150)

#show service-template CRITICAL_AUTH_VLAN
Name : CRITICAL_AUTH_VLAN
Description : NONE
VLAN : 696
VNID : NONE
MDNS POLICY : NONE

show service-template CRITICAL_VOICE_TEMPLATE
Name : CRITICAL_VOICE_TEMPLATE
Description : NONE
VLAN : 595
VNID : NONE
Voice Vlan : yes
MDNS POLICY : NONE

@Arne Bier @MHM Cisco World

Mukesh-Kumar · ‎07-29-2024

Hello @PradeepSingh @Greg Gibbs @Rob Ingram @MHM Cisco World

Here is the update . Look like Critical Vlan is not being assigned. All relevant logs are here for the sake of clarity with updated VLANs assigned.

#show service-template CRITICAL_AUTH_VLAN
Name : CRITICAL_AUTH_VLAN
Description : NONE
VLAN : 1000
VNID : NONE
MDNS POLICY : NONE
#show service-template CRITICAL_VOICE_TEMPLATE
Name : CRITICAL_VOICE_TEMPLATE
Description : NONE
VLAN : 3289
VNID : NONE
Voice Vlan : yes
MDNS POLICY : NONE

ISETestSwitch-3#show access-session interface gigabitEthernet 1/0/17 details
Interface: GigabitEthernet1/0/17
IIF-ID: 0x17A01C68
MAC Address: fc5c.eeb2.f5a9
IPv6 Address: Unknown
IPv4 Address: 172.30.88.18
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 82105s
Common Session ID: D6581EAC00007984FEDF3378
Acct Session ID: 0x00001b28
Handle: 0xe8000b7e
Current Policy: DOT1X_MAB_POLICY

Local Policies:
Service Template: CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 3288
Service Template: CRITICAL_AUTH_VLAN (priority 150)

Server Policies:

Method status list:
Method State
dot1x Authc Failed

ISETestSwitch-3#show derived-config interface gigabitEthernet 1/0/17
Building configuration...

Derived configuration : 653 bytes
!
interface GigabitEthernet1/0/17
description "Closed Mode"
switchport access vlan 288
switchport mode access
switchport voice vlan 3288
device-tracking attach-policy IPDT_POLICY
authentication timer unauthorized 600
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
service-policy type control subscriber DOT1X_MAB_POLICY
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

We have also idle time probe define

automate-tester username xxxx ignore-acct-port idle-time 10

However, I do not see any log for radius failure at any point of time.

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication

Any thoughts, please

Greg Gibbs · ‎07-29-2024

This is a bit difficult to follow as the VLANs referenced in the latest information are different than those from the earlier discussions.

Your service-template CRITICAL_VOICE_TEMPLATE shows a VLAN of 3289. Where does this VLAN come from and why is it different from the voice vlan configured on the switchport (3288)?
The CRITICAL_VOICE_TEMPLATE should simply be authorizing a phone on the preconfigured voice VLAN for the switchport. With the RADIUS servers unreachable, the phone should learn the voice VLAN from CDP and tag it's traffic on that VLAN. The switch would then authorize the traffic on that VLAN (in the voice domain) for the phone when in the critical state without requiring authorization from the RADIUS server.

As per the ISE Secure Wired Access Prescriptive Deployment Guide, the validated and recommended configuration for the class within this event is:

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 clear-authenticated-data-hosts-on-port
   20 activate service-template CRITICAL_AUTH_ACCESS
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize
   50 pause reauthentication

I would suggest basing your configuration off of the examples in that guide.

Mukesh-Kumar · ‎07-30-2024

@Greg Gibbs Thank you and I have updated the configuration for the class "AAA_SVR_DOWN_UNAUTHD_HOST" as per guide.

1. As per your above note and referred guide, please confirm , Voice VLAN should be same both under DEFAULT_CRITICAL_VOICE_TEMPLATE and in the interface . In my case it should be 3288 as per my interface. I should keep the same Voice 3288 Vlan under DEFAULT_CRITICAL_VOICE_TEMPLATE.

2. In case , where switches are in stack and there are more than one Voice Vlans under under interface, can we define more than one vlans under DEFAULT_CRITICAL_VOICE_TEMPLATE.

Mukesh-Kumar · ‎07-30-2024

Hello @PradeepSingh @Greg Gibbs @Rob Ingram @MHM Cisco World

Further to Earlier post, after updating the class "AAA_SVR_DOWN_UNAUTHD_HOST", appears to me that Critical Vlan for data is still not being assigned.

#show mac address-table interface gigabitEthernet 1/0/17
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
288 fc5c.eeb2.f5a9 STATIC Gi1/0/17
3288 fc5c.eeb2.f5a9 STATIC Gi1/0/17
Total Mac Addresses for this criterion: 2
fc5c.eeb2.f5a9 is the mac address of the supplicant.

If I take mac address table for Critical vlan,

show mac address-table vlan 1000
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1000 0010.7f7f.df06 DYNAMIC Gi1/0/47
1000 0010.7f82.f416 DYNAMIC Gi1/0/47
1000 0090.5e1f.69f2 DYNAMIC Gi1/0/47
1000 6230.d271.be46 DYNAMIC Gi1/0/47
1000 f40f.1b2c.bb0f DYNAMIC Gi1/0/47

do not see the mac address of the supplicant in question. Any thoughts ??

Mukesh-Kumar · ‎07-30-2024

@PradeepSingh @Greg Gibbs @Rob Ingram @MHM Cisco World

Thank you all for your great Support. Thanks for your time .

I am able to see the Critical Data Vlan . As per document and mentioned by @Greg Gibbs , I just need to enable voice vlan on the template as below. I do Not need to have the Vlan ID under the Critical Voice Vlan , see below

show service-template CRITICAL_VOICE_TEMPLATE
Name : CRITICAL_VOICE_TEMPLATE
Description : NONE
VLAN : NONE
VNID : NONE
Voice Vlan : yes
MDNS POLICY : NONE

I am able to see the critical data vlan and voice vlans being assigned as below

show mac address-table interface gigabitEthernet 1/0/17
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
3288 fc5c.eeb2.f5a9 STATIC Gi1/0/17
1000 fc5c.eeb2.f5a9 STATIC Gi1/0/17

Further, I verified that my computer is able to access only Internet. No Access to Internal Resources.

MHM Cisco World · ‎07-29-2024

MHM