ISE 1.1.3 posture status OK but network connection failed

vrz rrr · ‎04-02-2013

hello,

I am on my way to make this ISE works.

Now I am able to do posture assessment and reauthenticate with success.

The logs says that's OK, I have two lines.

NACAgent on the host do the job correctly but the NIC says : "Network failure" despite NACagent grants the access.

Any Ideas folks ???

Regards.

Vincent.

The switch says :

03:04:28: %AUTHMGR-5-START: Starting 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8

03:04:59: %DOT1X-5-FAIL: Authentication failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID

03:04:59: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8

03:04:59: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8

03:04:59: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8

03:04:59: %AUTHMGR-5-FAIL: Authorization failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8

Here is the SW's config :

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group radius

!

aaa server radius dynamic-author

client 192.168.6.10 server-key 123456789

!

aaa session-id common

!

no ip domain-lookup

ip domain-name security.com

ip dhcp excluded-address 192.168.6.29 192.168.6.100

!

ip dhcp pool test

network 192.168.6.0 255.255.255.0

!

ip dhcp snooping vlan 1

ip device tracking

dot1x system-auth-control

dot1x critical eapol

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet1/0/1

switchport mode access

authentication open

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

!

interface Vlan1

ip address 192.168.6.100 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

snmp-server community snmp RO

snmp-server enable traps mac-notification change move threshold

snmp-server host 192.168.6.10 version 2c snmp mac-notification

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789

radius-server vsa send accounting

radius-server vsa send authentication

!

line con 0

line vty 5 15

!

ntp clock-period 36029254

ntp server 192.168.6.29

end

vrz rrr · ‎04-02-2013

I think I have an issue with pre-posture ACL and so forth.

What are the ACLs to set both on ISE and the switch ?

Nothing works so far (Cisco documentation troubleshoot manual)

I have that ACL_PREPOSTURE on both the SW and ISE for posture remediation profile.

deny udp any any eq domain

deny ip any host 192.168.6.10

permit ip any any

I have an ACL_ALLOW applied on the port:

ip access-list extended ACL-ALLOW

 permit ip any any

Please HELP !!

My IOS is :

c3750-ipbasek9-mz.122-55.SE7.bin

Regards.

vrz rrr · ‎04-02-2013

Is anyone could help ???

for the time being, I won't recommend this product to my clients as there is too much issues in between the Switch and ISE !!

Tarik Admani · ‎04-02-2013

Hi,

Can you please clarify the issue you are experiencing from the endpoint (is this performing dot1x)? I see the username in the logs but I am a litte confused as to the debugs and the screenshot you provided. Also please provide a screenshot of your authorization policy and DACLs that are configured on ISE.

There are quite a few bugs regarding the 12.2(55)SE7 release and I wanted to know if you are plugging in behind an ip phone.

Can you provide the running configuration of the port "show run interface..." I would like to see the entire acl configuration "show run | sec ip access-list", I would also like to see the following commands during the user connection stage (one for when it first plugs in, another when its in the posture uknown state, and then again after the final access-accept) "show authentication session interface ..." along with the "show ip access-list interface xxx" along with a debug radius authentication for the entire event.

Thanks

Tarik Admani
*Please rate helpful posts*

vrz rrr · ‎04-03-2013

Hello Tarik, thanks for trying to help !

I guess that we all have configured the Sw and ISE as described in the documentation.

It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.

No IP Phone at all.

How to configure dACL on ISE ? ( pre-posture, redirect ) ????

What are the ports ? ( 8443, 8905n any ?)

Do we need a ACL to be set in the Sw before the dACL is applied ???

Please answer those questions first, and we will provide you some logs.

I'am not able to have a stable behaviour any more.

Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)

We waste of lot of time trying not to debug the software, but trying to find which parts work together.

Thanks again Tarik.