11-24-2016 01:46 PM - edited 03-11-2019 12:15 AM
Hi!
I am new to ISE world.
I have different Authorization policy based on computer and user. Once the computer start it will assign to vlan based on its security group membership. If a user login to same computer then second Authorization clicks in IP is assigned from Vlan based on user security group.
It works on 2900 series switch but the same thing doesn't work on Catalyst 4500E (12.54). I have matched the config for Dot1x on both switches and the look fine.
The issue is that on Catalyst 4500 the second authorization doesnt work. Only the first policy that is for computer authentication works.
Any suggestion on this?
Thanks
Capricorn
11-29-2016 09:56 AM
Hello Capricorn-
My guess is that you are hitting a bug with the version of code that you are running on the 4500. Can you provide the following info:
- Exact chassis model (Obtain from show ver)
- Exact version code (Obtain from show ver)
- Output from from the following command: show authentication session interface interface_name_number
- Configuration of the affected port
Thank you for rating helpful posts!
12-06-2016 01:28 AM
Thanks Neno for looking into this. Please see below.
WS-C4506-E
cat4500e-ipbasek9-mz.122-54.SG1.bin
description ISE
switchport access vlan 550
switchport mode access
switchport voice vlan 300
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree guard root
--------
show authentication sessions interface gigabitEthernet 3/31
Interface: GigabitEthernet3/31
MAC Address: a0b3.cc23.xxxx
IP Address: 10.2.7.227
User-Name: host/testcomputer.mydomain.com
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 109
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AF4DC0C0000003D8153AA91
Acct Session ID: 0x00005255
Handle: 0xA300003E
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
12-14-2016 04:05 AM
Hi again!
Anyone can look into this?
Thanks
12-15-2016 03:25 PM
Sorry about that. I thought I replied to the thread but I guess I missed it :/
So, based on what you have provided I see two things that look strange:
1. The username provided in the session is a name of a computer not actual user. Thus, it appears that the user auth is not even seen by the switch/ise
2. In the port config you have a pre-auth ACL (ACL-DEFAULT) but I don't see a dACL in the authorization policy. So my question here is: Are you returning a dACL with your authorization policy? If not, I would suggest doing that as you need a dACL to replace the pre-auth ACL. Otherwise, the pre-auth ACL remains on the port even after successful authentication/authorization. You can quickly test this by pushing a "permit ip any any" with both authorization profiles.
Thank you for rating helpful posts!
12-16-2016 02:46 AM
Hi!
Thanks for looking into it.
Everything works fine if I have a computer connected to Catalyst 2960G ( Version 12.2(44)SE6) and it doesnt work if I connected the same computer to WS-C4506-E.
To me it looks ok from ISE as it works for 2960G. What you say?
Thanks
12-17-2016 01:39 PM
So the reason I suggest you try the dACL is because the behavior of the default Pre-Auth ACL changed between versions and switch family. I had a link that described this but cannot find it now.
I would definitely configure and push a dACL and see if that fixes the problem.
Thank you for rating helpful posts!
12-22-2016 05:13 AM
Hi!
We are already pushing DACL to it.
I can see the DACL is coming down to switch.
Thanks
12-23-2016 11:49 AM
If you are pushing a dACL then I would expect to see " ACS ACL:your_dACL_name" in the output from "show authentication session..." I did not see that in the output that you provided. To test this further, you can issue "show ip access-list interface interface_name" after the session has completed.
Thank you for rating helpful posts!
01-12-2017 05:34 AM
I get this. show ip access-lists interface gigabitEthernet 3/31
permit ip any any (30 estimate matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide