ISE dot1x and MAB issues

deaseechris · ‎06-16-2014

I am trying to set my ISE to attempt dot1x before mab. If I set up the switchport to try mab first, then ISE does its job and assigns the proper vlan. However, when I set the port up to do dot1x first, the port reverts to the default vlan 1. I am able to manually assign the proper vlan on the port and ISE does not interfere, but that kind of defeats the purpose. The port is on a 4506 and below is the port config. Any direction would be greatly appreciated.

interface GigabitEthernet5/7
description 1-151
switchport mode access
switchport block unicast
switchport voice vlan 68
ip arp inspection limit rate 60
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 40
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end

Mohammed Abdus Subhan · ‎06-17-2014

Recently i have implemented in one of our customer, find the below switch configuration.

aaa new-model
!
!
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
!
!
!
!
aaa server radius dynamic-author
client <ISE IP ADDRESS> server-key 7 10471A1C25141B1F0F
!
aaa session-id common
!
!
ip device tracking probe use-svi
ip device tracking
ip admission name Testing_ISE proxy http inactivity-time 10 list ISE_ALLOWED
!
epm logging
!

!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1-1005 priority 8192
!
port-channel load-balance src-dst-ip
!
vlan internal allocation policy ascending
!
interface ran GigabitEthernet X/X
description "Connected to test PC for ISE testing"
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication event server dead action authorize vlan 107
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
ip http server
ip http secure-server
!
!
ip access-list extended ISE_REDIR
deny   udp any any eq bootpc
deny   udp any any eq bootps
deny   udp any any eq domain
deny   ip any host <ISE IP ADDRESS> log
permit tcp any any eq www
permit tcp any any eq 443
deny   ip any any log
ip access-list extended ISE_ALLOWED
permit ip any host <ISE IP ADDRESS>
!
logging esm config
snmp-server community string RO
snmp-server community public RO
snmp-server community ise RO
snmp-server trap-source Vlan250
snmp-server enable traps mac-notification change move threshold
snmp-server host <ISE IP ADDRESS> version 2c ise mac-notification
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host <ISE IP ADDRESS> auth-port 1812 acct-port 1813 key 7

141E010E2C07233F27
radius-server vsa send accounting
radius-server vsa send authentication

Create a Authentication policy in ISE and allow ISE_REDIR ACL.

Venkatesh Attuluri · ‎06-18-2014

sample switch config

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host ise-1.demo.local auth-port 1812 acct-port 1813
radius-server key cisco123
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
ip radius source-interface g0/24
[test authentication]
dot1x system-auth-control
interface range g0/1-3, g0/5
switchport mode access
authentication port-control auto
dot1x pae authenticator
mab
authentication open
authentication host-mode multi-auth
switchport access vlan 10
switchport voice vlan 40
authentication order mab dot1x
authentication priority dot1x mab
no shutdown
end
radius-server vsa send authentication
ip device tracking
ip dhcp snooping
radius-server vsa send accounting
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any
EDCS-979060
36
remark PXE / TFTP permit udp any any eq tftp remark Drop all the rest deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT deny ip any host 10.1.100.21 permit ip any any
interface range g0/1-3, g0/5
ip access-group ACL-ALLOW in
authentication periodic
authentication timer reauthenticate server end
aaa server radius dynamic-author
client 10.1.100.21 server-key 0 cisco123 ip http server ip http secure-server
logging origin-id ip logging host ise-1.demo.local transport udp port 20514 epm logging logging source-interface