Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2043
Views
3
Helpful
3
Replies

ISE 2.1 802.1x VLAN Mapping between MAB and Cert Authentication

Go to solution
thomas.windeck2
Level 1
Level 1

‎03-27-2017 04:28 AM

Hello,

at the moment we use ISE 2.1.0.474 for 802.1x.

For our clients we do use machine certidicate authentication. And MAB for Printers, AccessPoints, Linux and Apple Devices.

Our Problem is our default PXE option on our windows client. Our thinking about the authentication are this steps:

  1. MAB (for PXE Boot)
  2. Cert
  3. Guest Network / Productive Network

If we need pxe boot for some devices, we do set a mac adresse entry on ISE and the Client get Access in produktiv network.

If we get the machine certifiacte, the client get Access to productive network too.

If we know nothing the client will get guest access.

Some detail informations:

On ISE we we have two Policy Sets:

  • 802.1x MAB
  • 802.1x Cert

MAB Authentication Policy config:

  • If authentication failed - Reject
  • If user not found - Continue
  • If process failed - Drop

Switch Model WS-C4510R+E Version

cat4500es8-universalk9.SPA.03.07.01.E.152-3.E1.bin

Switch config:

authentication event fail action authorize vlan "GUEST"

authentication event server dead action reinitialize vlan "GUEST"

authentication event no-response action authorize vlan "GUEST"

authentication host-mode multi-host

authentication order mab dot1x

authentication priority mab dot1x

Problem:

our Client devices use at first the network boot.

Then the client try PXE boot for about 10 seconds (time out). After 3 seconds the ISE Radius Live Log shows the "deny Access" authorization policy because the MAB entry is not set on ISE. With this entry i want to switch this clientport in guest network.

There the client gets a dummy pxe entry from dhcp server and all would be great.

But the ISE do not switch the vlan because the authentication will try the certificate.

After the "deny access" from MAB default authorization policy (if user not found - continue) will ISE search after the machine certificate.

If the 802.1x Cert authentication is active on client and the certifikate is correct, the device get a company vlan which company id in the machine certifiacte. If it false, the switch will set the guest vlan.

Without ISE my dummy pxe boot config works in guest network.

With ISE config and only MAB on switch interface it works too, because ISE do not search again after the MAB deny Access.

Summarized i need a vlan switch from ISE between MAB and Cert authentication. It is possible ?

I need it to sent the pxe boot option over one dhcp to the client, to stopp the pxe boot intervall.

Thanks a lot.

Thomas

1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Laue
Level 4
Level 4

‎03-28-2017 12:08 AM

after reading it 3 times i think i understand your problem.

If the client hits the "deny access" rule you think "authentication event fail action authorize vlan "GUEST"" should kick in?

The authentication event didn't fail because the Radius Server responds with an Access reject and auth fail vlan should only be supported on single-host ports.

A solution for your problem could be an additional Authorization rule or editing the default. Personally i didn't like to edit the Default.

Create a catch Authorization rule just above the default and set the condition to Wired_MAB (should be a default on the system) and assign a Authorization Profile to it which sets your Guest VLAN.

mabcatchrule.JPG

View solution in original post

3 Replies 3

Go to solution
Oliver Laue
Level 4
Level 4

‎03-28-2017 12:08 AM

after reading it 3 times i think i understand your problem.

If the client hits the "deny access" rule you think "authentication event fail action authorize vlan "GUEST"" should kick in?

The authentication event didn't fail because the Radius Server responds with an Access reject and auth fail vlan should only be supported on single-host ports.

A solution for your problem could be an additional Authorization rule or editing the default. Personally i didn't like to edit the Default.

Create a catch Authorization rule just above the default and set the condition to Wired_MAB (should be a default on the system) and assign a Authorization Profile to it which sets your Guest VLAN.

mabcatchrule.JPG

Go to solution
thomas.windeck2
Level 1
Level 1
In response to Oliver Laue

‎03-28-2017 12:21 AM

Hi Oliver,

you are great. I have found the solution now.

I take the MAB Guest entry befor the default "deny access" and then i have to switch the priority from "mab dot1x" to "dot1x mab. Because with the "priority mab dot1x" dot1x do not work anymore because a mab entry was correct.

authentication order mab dot1x

authentication priority dot1x mab

Now a new client connect to network, Clients with MAC entry switch in ther mab policy and unknown clients get the guest network. There is the dummy pxe boot entry activ to stop the default bios interval. In next step the client sent the machine cert and get the correct productive network.

If we need the productive PXE boot we made a mab entry, take a reboot and the client switch after the networconnection in the correct productive network with the productive parameters. And it works :-)

Thanks for your fast replay.

Go to solution
Oliver Laue
Level 4
Level 4
In response to thomas.windeck2

‎03-28-2017 07:10 AM

You're welcome.

i forgot to mention the priority should be switched as a successful dot1x Auth should override a MAB Auth.

0 Helpful
Customers Also Viewed These Support Documents