Re: ISE 2.4 - Dot1x / Wired MAB Re-auth issue

Y C · ‎02-12-2019

I'm trying to implement Wired Dot1x with mab backup for devices that don't support dot1x. Using ISE 2.4 for radius. I got dot1x to work fine with windows clients. Next step was to profile devices that don't support dot1x based on oui.

I plugged my test device in. Of course initially it failed as nothing was setup yet and hit the default deny access policy. This wasn't a device that ISE profiled out of the box. I built the oui check (based on company name, not hex characters), authorization policy, condition, result etc. After a bit of troubleshooting I realized I had the oui name set to equals blabla instead of contains blabla so I corrected that. Everything should work at this point.

Checking the live log I could see the expected failure (15039 Rejected per authorization profile). No matter what I did - clear auth cache, shut/noshut interface, deleted endpoint from ise... I couldn't get ISE to show any updates in the live logs. The switch clearly showed the auth session was restarting. I tried to play with the reauth timers as well. Suddenly on its own it started working - ISE reported 5238 Endpoint authentication problem was fixed and things proceeded as normal.

This is the second time doing this exercise with a different endpoint / oui. The first time the ISE logs showed hourly failures until I added "authentication timer reauthenticate server". Didn't work this time... tried the manual 60 seconds as well to no avail, until again as mentioned it suddenly started working. The timestamp from the last failure to the "problem was fixed..." was approximately 69 minutes. Any shut/noshut now and it works as expected - mab kicks in after 90 second dot1x timeout and switches to proper vlan

Switchport config is below. What am I missing? I'm betting there's a timer or ISE setting I'm overlooking. While I'm glad it works now I don't want to sit an hour every time I setup a new endpoint profile.

switchport access vlan ##
switchport mode access
switchport voice vlan ####
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan ###
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication timer unauthorized 60
authentication violation restrict
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast edge
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

Mohammed al Baqari · ‎02-13-2019

What attributes are you using to match OUI. Are you receiving it from SNMP, DHCP, etc. I suggest you configure device sensor to send attributes to ISE for profiling.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_1_se/device_sensor/guide/sensor_guide.html#wp1112722

Then check your aaa accounting configuration as you need to configure it to send periodic updates.

Y C · ‎02-15-2019

Looks like device-sensor was already configured.

I don't think it's a matter of ISE not receiving the info. During the 69 minutes it wasn't working I could delete the endpoint from ISE and it would re-appear. It was profiled properly per the manually created profile. The live log just didn't show any attempts coming in.

Y C · ‎02-15-2019

A-ha! This may have been it. On by default....

hslai · ‎02-15-2019

RADIUS Settings > Suppress Repeated Failed Clients

is ON by default and jails the client for 60 minutes when meeting the configured number of failures prior to automatic rejection.