05-27-2016 05:01 AM
Hi all,
I´m working closely with a partner on a specific customer case - and we have some issue when testing high availability - in this case - AD is down.
In short :
Using the Legacy style – there was no way for the switch to see whether it was a dot1x request or a MAB. When AD is down the ISE servers are configured to do DROP on the packet so that the ISE PSN is marked dead in radius config.
Using MAB on the same switch causes the connected ports with 802.1x clients that have been put into “CRITICAL AUTH” to reinitialize and try to reauthenticate, whichs causes a on/off/on/off/on… etc. scenario
We have worked on multiple solutions - and for now we are working on using C3PL to get this working.
A really cool thing with C3PL is - that we will be able to start MAB and dot1x at the same time - any caveats/pitfalls we are not aware of ?
So - I want to hear what other customers/users do in this scenario ??
Do we (Cisco) recommend using C3PL for this or ?
And furthermore - if anyone is using C3PL - please share config
Best regards
Tue Noergaard
CSE - Cisco DK
Solved! Go to Solution.
05-27-2016 05:19 AM
Tue, thanks for sharing your experience. It is true that IBNS 2.0 (AKA C3PL Syntax) works wonders due to its flexibility. Aside from what you brought up it can provide CRITICAL ACL feature where switch can add/remove ACL based on AAA status, simplify interface configurations, use multiple RADIUS servers for ports and MAB/802.1X among other things. When it comes to ISE, customers can use either method on their switches based on their needs.
The simultaneous auth available with IBNS 2.0 should work but it hasn't been explicitly tested with ISE. One side effect of such configuration would be additional load on the servers as each endpoints connecting will have two authentications.
I am also interested in hearing from others around unique ways using IBNS 2.0 so please feel free to post sample configurations.
Hosuk
05-27-2016 05:19 AM
Tue, thanks for sharing your experience. It is true that IBNS 2.0 (AKA C3PL Syntax) works wonders due to its flexibility. Aside from what you brought up it can provide CRITICAL ACL feature where switch can add/remove ACL based on AAA status, simplify interface configurations, use multiple RADIUS servers for ports and MAB/802.1X among other things. When it comes to ISE, customers can use either method on their switches based on their needs.
The simultaneous auth available with IBNS 2.0 should work but it hasn't been explicitly tested with ISE. One side effect of such configuration would be additional load on the servers as each endpoints connecting will have two authentications.
I am also interested in hearing from others around unique ways using IBNS 2.0 so please feel free to post sample configurations.
Hosuk
05-27-2016 05:37 AM
Hi,
Do we provide any best practise advice on this subject ?
The customer in this case needs to know if C3PL is the right way to go or not ...
br,
Tue
05-27-2016 05:50 AM
I can't say it is the best practice, but one workaround you can try is to define same ISE node two times with different RADIUS ports. One using 1645 & 1646 and another with same IP using 1812 & 1813. With IBNS 2.0 you can point 802.1X to the first one and MAB to the second one and getting no response due to AD will not impact the MAB requests as it is considered separate RADIUS server from switch side.
Hosuk
05-27-2016 06:06 AM
hi,
Thanks for your replies
Do you know of any customers actually using C3PL in production ?
We need to ease the customers mind that this is a "safe and/or recommend" way to follow.
/Tue
05-27-2016 06:17 AM
Yes many customers are already on IBNS 2.0 mainly due to CRITICAL ACL feature.
06-01-2016 02:34 AM
HI ..
This is the code we are working on now:
aaa new-model
!
!
aaa group server radius ISE-DOT1X-DK-TESTBED
server-private 10.158.33.216 timeout 1 retransmit 2 key 7 *gracefullyremoved*
server-private 10.158.33.225 timeout 1 retransmit 2 key 7 *gracefullyremoved*
!
aaa group server radius ISE-MAB-DK-TESTBED
server-private 10.158.33.225 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*
server-private 10.158.33.216 timeout 1 retransmit 2 test username ise-tester idle-time 1 key 7 *gracefullyremoved*
!
aaa authentication dot1x DOT1X group ISE-DOT1X-DK-TESTBED
aaa authentication dot1x MAB group ISE-MAB-DK-TESTBED
aaa authorization network default group ISE-DOT1X-DK-TESTBED
aaa authorization network ISE-DOT1X-DK-TESTBED none
aaa accounting update periodic 60
aaa accounting identity default start-stop group ISE-DOT1X-DK-TESTBED
aaa accounting network default start-stop group ISE-DOT1X-DK-TESTBED
aaa accounting system default start-stop group ISE-DOT1X-DK-TESTBED
!
!
!
!
!
aaa server radius dynamic-author
client 10.158.33.216 server-key 7 *gracefullyremoved*
client 10.158.33.225 server-key 7 *gracefullyremoved*
!
service-template webauth-global-inactive
inactivity-timer 3600
service-template CRITICAL
access-group ACL-ALLOW
vlan 107
service-template CRITICAL_VOICE
access-group ACL-ALLOW
voice vlan
service-template CRITICAL_AUTHD
access-group ACL-ALLOW
vlan 107
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
!
vlan group useraccess vlan-list 107-108
vlan dot1q tag native
!
vlan 107
name 107-dot1x-UA
!
vlan 108
name 108-dot1x-UA
!
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-none IN_CRITICAL
match activated-service-template CRITICAL
!
class-map type control subscriber match-any IN_CRITICAL_AUTHD
match activated-service-template CRITICAL_AUTHD
!
class-map type control subscriber match-any IN_CRITICAL_VLAN
match activated-service-template CRITICAL
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN
match activated-service-template CRITICAL
!
!
!
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x aaa authc-list DOT1X authz-list DOT1X retries 2 retry-time 0 priority 10
20 authenticate using mab aaa authc-list MAB priority 20
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL
20 authorize
30 authentication-restart 28800
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab aaa authc-list MAB priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL do-until-failure
10 clear-session
20 class IN_CRITICAL_AUTHD do-until-failure
10 resume reauthentication
30 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 resume reauthentication
event violation match-all
10 class always do-until-failure
10 restrict
!
!
interface GigabitEthernet1/0/2
description End User Port VLAN 107
switchport access vlan 107
switchport mode access
switchport nonegotiate
ip access-group ACL-ALLOW in
logging event link-status
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 70.00
storm-control multicast level 70.00
storm-control action trap
no cdp enable
spanning-tree portfast
service-policy type control subscriber DOT1X
!
ip access-list extended ACL-ALLOW
permit ip any any
!
ip access-list extended REDIRECT
deny ip any host 10.158.33.216
deny ip any host 10.158.33.225
permit ip any any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
Comments ?
If anyone will share their code - I´d love to see it.
/Tue
07-08-2016 11:21 AM
Hi Tue and Hosuk
I'm actually trying out the same c3pl code based on the document for 3850 universal config (that Hosuk wrote) integrated with ISE 2.1.
For the moment I do see both auth's being triggered at the same time and it looks like it works fine, but ISE behaviour for now is to generate an alarm for the NAD misconfiguration as having too many accounting packets.
I have to admit that having both auth methods simultaneously confuses me in a few aspects:
- 802.1X takes longer to authenticate than mab (more transactions)
- if mab succeeds, an accounting start will be sent.
- but then 802.1X also succeeds (it just took longer) - which will also trigger an accounting start
- will the switch drop the mab session then?
I would also like to have best practice reference guide for C3PL covering multiple cases - 802.1X and MAB for endpoints (with ISE CWA); 802.1X, MAB and webauth; only MAB, etc... Does any of this exist?
If the use cases reference guide is not possible, then a more thorough explanation on how to design a C3PL policy covering multiple cases - which events to look for, which classes to match, which actions to take and their impact.
Regards
Gustavo
07-08-2016 11:38 AM
Hello,
Just found out that actually there are a lot of templates already provided with the Auto-identity feature (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/auto_id.pdf), besides a good lab guide in cisco live (LTRSEC-2017-LG).
Might help anyone trying to dive into C3PL for identity
Cheers
Gustavo
03-10-2017 07:22 AM
Hi Guys,
Did someone has a solution for the AD availability. With the automatic-test the switch can send a username and the dead-criteria is working. However like Tue said, there is an on/off/on/off situation.
Is it possible that Cisco will provide a fix for this?
regards,
Sander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide