Solved: Re: ISE 2.3 GUI shows an endpoint as "Default"

pnowikow · ‎01-29-2020

Hello Community,

We run ISE 2.3 and I'm seeing a weird anomaly where the switch sees the endpoint as hitting the proper ACL & policy but the GUI shows it as hitting the "Default" AuthZ policy. It matches the endpoint profile, AD integration works and sees the user ID and proper AD computer name. IP address gets assigned, everything looks good. The same switchport sees the phone as well since we use the phone's interface to run the PC. I have 34 examples of this across multiple locations so I'm hoping it's all related to one core issue. We are in Monitor Mode so authentication open is being used on the port level config and the users can work normally. Is this a bug in the version of ISE or the IOS version

Version 2.3.0.298

Installed Patches 5

Product Identifier (PID) ISE-VM-K9

Version Identifier (VID) V01

Serial Number (SN)

ADE-OS Version 3.0.3.030

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48LPS-L 15.2(4)E6 C2960X-UNIVERSALK9-M

Thanks

Pete

Greg Gibbs · ‎01-29-2020

That's correct. With Flex Auth, the switchport will stop the MAB process when it receives and EAPOL from the endpoint. The switch will show 'dot1x AuthC Success' after the dot1x process completes.

If you quickly look at the switchport auth session (or access-session, for IBNS 2.0) when the endpoint is first connected, you will see the 'MAB Auth Success' first while the dot1x process is in progress.

View solution in original post

Colby LeMaire · ‎01-29-2020

Are you sure it says that you are hitting the "Default" authorization policy? Or is it the authentication policy? Or policy set? All of those would have a "Default". Double check that and post a screenshot of your Live Log entry showing that and also your policy.

pnowikow · ‎01-29-2020

Yes, I verified it's the AuthZ policy.

Colby LeMaire · ‎01-29-2020

That entry shows a failure due to "Rejected per authorization profile" which makes sense since that error fires when no rule is matched and hits default at the end. What is probably happening is that you are seeing failures AND successes for the same endpoint. For example, MAB failing but 802.1x passes which is why the ACL gets applied properly. In your Live Logs, filter on the Endpoint ID and see if there are any successes along with the failures.

pnowikow · ‎01-29-2020

After filtering on the Endpoint ID here is what I get.

Time

Status

Repeat Count

IP Address

Network Device

Device Port

Identity

Endpoint ID

Endpoint Profile

Authentication Policy

Authorization Policy

Authorization Profiles

Identity Group

Posture Status

Server

Mdm Server Name

16:53.9

Session

10.60.48.60

GigabitEthernet1/0/21

host/xxx.com

14:B3:1F:04:45:D7

Windows10-Workstation

Wired >> Default

Wired >> ISE Domain Computer

ISE_MACHINES

16:53.0

Auth Passed

10.60.48.60

GigabitEthernet1/0/21

host/xxx.com

14:B3:1F:04:45:D7

Windows10-Workstation

Wired >> Default

Wired >> ISE Domain Computer

ISE_MACHINES

Workstation

CiscoISEVM01

Greg Gibbs · ‎01-29-2020

@Colby LeMaire wrote:

"What is probably happening is that you are seeing failures AND successes for the same endpoint. For example, MAB failing but 802.1x passes which is why the ACL gets applied properly."

Colby is correct. You can see in the Live Log screenshot that the Authentication Protocol is 'Lookup', which means that is a MAB session.

If your switchport configuration is using Flex Auth (authentication order mab dot1x) or a similar policy map order for IBNS 2.0, it is expected behavior to see a MAB session followed by a dot1x session for the same MAC address in the Live Logs. The dot1x auth process is slower than MAB, so the MAB auth session will complete first and hit the Default rule (unless you have an AuthZ policy matching on MAB). When the dot1x session completes, it will override the MAB session for the same MAC address (if you have 'authentication priority dot1x mab') and you will see that updated session information in the Live Logs.

Cheers,

Greg

pnowikow · ‎01-29-2020

Here's what's weird... the switch sees the workstation as successfully identified by ISE

----------------------------------------
Interface: GigabitEthernet1/0/21
MAC Address: 14b3.1f04.45d7
IPv6 Address: Unknown
IPv4 Address: 10.60.48.60
User-Name: host/xxx.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 00000000000010EE1DD30EC9
Acct Session ID: 0x00003E9C
Handle: 0x2900003E
Current Policy: POLICY_Gi1/0/21

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
ACS ACL: xACSACLx-IP-MACHINE_ACL-5df3ede4

Method status list:
Method State

mab Stopped
dot1x Authc Success

Greg Gibbs · ‎01-29-2020

That's correct. With Flex Auth, the switchport will stop the MAB process when it receives and EAPOL from the endpoint. The switch will show 'dot1x AuthC Success' after the dot1x process completes.

If you quickly look at the switchport auth session (or access-session, for IBNS 2.0) when the endpoint is first connected, you will see the 'MAB Auth Success' first while the dot1x process is in progress.