01-29-2020 09:42 AM
Hello Community,
We run ISE 2.3 and I'm seeing a weird anomaly where the switch sees the endpoint as hitting the proper ACL & policy but the GUI shows it as hitting the "Default" AuthZ policy. It matches the endpoint profile, AD integration works and sees the user ID and proper AD computer name. IP address gets assigned, everything looks good. The same switchport sees the phone as well since we use the phone's interface to run the PC. I have 34 examples of this across multiple locations so I'm hoping it's all related to one core issue. We are in Monitor Mode so authentication open is being used on the port level config and the users can work normally. Is this a bug in the version of ISE or the IOS version
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48LPS-L 15.2(4)E6 C2960X-UNIVERSALK9-M
Thanks
Pete
Solved! Go to Solution.
01-29-2020 02:18 PM
That's correct. With Flex Auth, the switchport will stop the MAB process when it receives and EAPOL from the endpoint. The switch will show 'dot1x AuthC Success' after the dot1x process completes.
If you quickly look at the switchport auth session (or access-session, for IBNS 2.0) when the endpoint is first connected, you will see the 'MAB Auth Success' first while the dot1x process is in progress.
01-29-2020 10:18 AM
Are you sure it says that you are hitting the "Default" authorization policy? Or is it the authentication policy? Or policy set? All of those would have a "Default". Double check that and post a screenshot of your Live Log entry showing that and also your policy.
01-29-2020 11:22 AM - edited 01-29-2020 01:48 PM
Yes, I verified it's the AuthZ policy.
01-29-2020 11:30 AM
That entry shows a failure due to "Rejected per authorization profile" which makes sense since that error fires when no rule is matched and hits default at the end. What is probably happening is that you are seeing failures AND successes for the same endpoint. For example, MAB failing but 802.1x passes which is why the ACL gets applied properly. In your Live Logs, filter on the Endpoint ID and see if there are any successes along with the failures.
01-29-2020 12:57 PM - edited 01-29-2020 01:50 PM
After filtering on the Endpoint ID here is what I get.
Time | Status | Repeat Count | IP Address | Network Device | Device Port | Identity | Endpoint ID | Endpoint Profile | Authentication Policy | Authorization Policy | Authorization Profiles | Identity Group | Posture Status | Server | Mdm Server Name |
16:53.9 | Session | 10.60.48.60 | GigabitEthernet1/0/21 | host/xxx.com | 14:B3:1F:04:45:D7 | Windows10-Workstation | Wired >> Default | Wired >> ISE Domain Computer | ISE_MACHINES | ||||||
16:53.0 | Auth Passed | 10.60.48.60 | GigabitEthernet1/0/21 | host/xxx.com | 14:B3:1F:04:45:D7 | Windows10-Workstation | Wired >> Default | Wired >> ISE Domain Computer | ISE_MACHINES | Workstation | CiscoISEVM01 |
01-29-2020 01:57 PM
@Colby LeMaire wrote:
"What is probably happening is that you are seeing failures AND successes for the same endpoint. For example, MAB failing but 802.1x passes which is why the ACL gets applied properly."
Colby is correct. You can see in the Live Log screenshot that the Authentication Protocol is 'Lookup', which means that is a MAB session.
If your switchport configuration is using Flex Auth (authentication order mab dot1x) or a similar policy map order for IBNS 2.0, it is expected behavior to see a MAB session followed by a dot1x session for the same MAC address in the Live Logs. The dot1x auth process is slower than MAB, so the MAB auth session will complete first and hit the Default rule (unless you have an AuthZ policy matching on MAB). When the dot1x session completes, it will override the MAB session for the same MAC address (if you have 'authentication priority dot1x mab') and you will see that updated session information in the Live Logs.
Cheers,
Greg
01-29-2020 02:00 PM
Here's what's weird... the switch sees the workstation as successfully identified by ISE
----------------------------------------
Interface: GigabitEthernet1/0/21
MAC Address: 14b3.1f04.45d7
IPv6 Address: Unknown
IPv4 Address: 10.60.48.60
User-Name: host/xxx.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 00000000000010EE1DD30EC9
Acct Session ID: 0x00003E9C
Handle: 0x2900003E
Current Policy: POLICY_Gi1/0/21
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
ACS ACL: xACSACLx-IP-MACHINE_ACL-5df3ede4
Method status list:
Method State
mab Stopped
dot1x Authc Success
01-29-2020 02:18 PM
That's correct. With Flex Auth, the switchport will stop the MAB process when it receives and EAPOL from the endpoint. The switch will show 'dot1x AuthC Success' after the dot1x process completes.
If you quickly look at the switchport auth session (or access-session, for IBNS 2.0) when the endpoint is first connected, you will see the 'MAB Auth Success' first while the dot1x process is in progress.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide