Solved: Re: ISE C3PL Switch Configuration

lilianamartinez · ‎10-11-2021

Hi everyone,

I have a new-style switches and we are deploying DOT1X auth with cisco AnyConnect , I'm using the next script but users have internet acces even when they are not authenticating , on legacy mode it works correctly I would like if something is missing.

!
aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 15
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
!
aaa server radius dynamic-author
client 10.x.x.x1 server-key xxxxxxxxxx
client 10.x.x.x2 server-key xxxxxxxxxx
server-key R4d1uss3g0b
!
aaa session-id common
!
login on-success log
access-session mac-move deny
epm logging
no device-tracking logging theft
device-tracking tracking
!
dot1x system-auth-control
dot1x critical eapol
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
!
service-policy type control subscriber DOT1X-DEFAULT
!
ip http server
no ip http port 8080
ip http authentication local
ip http secure-server
ip http active-session-modules none
ip http client source-interface Vlan15
!
ip access-list extended ISE-REDIRECT
10 deny ip any host 10.x.x.x1
20 deny ip any host 10.x.x.x2
30 deny udp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443
!
ip radius source-interface Vlan45
logging origin-id ip
logging source-interface Vlan45
logging host 10.x.x.x1 transport udp port 20514
logging host 10.x.x.x2 transport udp port 20514
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 30
radius-server load-balance method least-outstanding
!
radius server ISE1
address ipv4 10.x.x.x1 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key xxxxxxxxxx
!
radius server ISE2
address ipv4 10.x.x.x2 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key xxxxxxxxxxx
!

Greg Gibbs · ‎10-12-2021

With newer platform/software versions, the default setting when using IBNS 2.0 is 'open' authentication (no access-session closed). If your session is getting an ACCESS_ACCEPT response from ISE with no DACL applied, the client getting internet access would be expected (unless it's in a redirect state... we would need more info about your policy/flow).

Another option to the 'closed' mode suggested by @Arne Bier, would be using a Low-Impact Mode approach by configuring a restrictive pre-auth ACL and applying that to the switchport. In your AuthZ Policy result, you would then need to send a permissive DACL that would override the pre-auth ACL.

Example:

ip access-list extended ACL-PreAuth-v4
 remark Allow TFTP for PXE
 permit udp any any eq tftp
 remark Allow DHCP
 permit udp any eq bootpc any eq bootps
 remark Allow DNS
 permit udp any any eq domain
 remark Deny all else
 deny ip any any
!
interface gig1/0/20
 ip access-group ACL-PreAuth-v4 in

You should also consider using interface templates as they are another benefit from the IBNS 2.0 C3PL feature set. Both of these aspects are covered in detail in the ISE Secure Wired Access Prescriptive Deployment Guide.

View solution in original post

Damien Miller · ‎10-11-2021

Can you also share the configuration you are applying to the access ports.

lilianamartinez · ‎10-11-2021

Sure this is the interface configuration:

interface GigabitEthernet1/0/20
description <<PC/Phone>>
switchport access vlan 20
switchport mode access
device-tracking attach-policy IPDT_MAX_10
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
trust device cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber DOT1X-DEFAULT
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

Arne Bier · ‎10-12-2021

Hi @lilianamartinez

You might still try closed mode

access-session closed

The details of your service policy is also important - does it do DOT1X first and then MAB. If you're still struggling then share your policy.

lilianamartinez · ‎10-21-2021

I tried closed mode also , but still the same result.

Greg Gibbs · ‎10-12-2021

With newer platform/software versions, the default setting when using IBNS 2.0 is 'open' authentication (no access-session closed). If your session is getting an ACCESS_ACCEPT response from ISE with no DACL applied, the client getting internet access would be expected (unless it's in a redirect state... we would need more info about your policy/flow).

Another option to the 'closed' mode suggested by @Arne Bier, would be using a Low-Impact Mode approach by configuring a restrictive pre-auth ACL and applying that to the switchport. In your AuthZ Policy result, you would then need to send a permissive DACL that would override the pre-auth ACL.

Example:

ip access-list extended ACL-PreAuth-v4
 remark Allow TFTP for PXE
 permit udp any any eq tftp
 remark Allow DHCP
 permit udp any eq bootpc any eq bootps
 remark Allow DNS
 permit udp any any eq domain
 remark Deny all else
 deny ip any any
!
interface gig1/0/20
 ip access-group ACL-PreAuth-v4 in

You should also consider using interface templates as they are another benefit from the IBNS 2.0 C3PL feature set. Both of these aspects are covered in detail in the ISE Secure Wired Access Prescriptive Deployment Guide.

lilianamartinez · ‎10-21-2021

Im using the same DACL for legacy devices and it works correctly.

lilianamartinez · ‎10-21-2021

I tried with low-impact and it works , thank you so much for your help.