Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1095
Views
10
Helpful
5
Replies

ISE Flexi-Auth order

Vivek Ganapathi
Level 4
Level 4

ā€Ž05-02-2017 10:33 PM - edited ā€Ž03-11-2019 12:41 AM

Hello all,

I read through the below document & understand the nitty gritty of it.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

Document doesn't describe around the "authentication order dot1x mab" & "priority dot1x mab". Does anyone know the behaviour if we have this configuration? Assuming all the dot1x enabled endpoints are Microsoft workstations. Will this order create any issue?

Regards

Vivek

 

Labels:
0 Helpful
5 Replies 5

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

ā€Ž05-03-2017 04:49 AM

Hi vivek

if you have authentication order dot1x mab" & "priority dot1x mab" configured and all your endpoints are dot1x capable, then you are good to go.

Just be aware if your Microsoft machines are behind an IP phones as some of the IP Phone (Especially some AVAYA phone models ) require a bit of tweaking to the "dot1x timeout tx-period" to make them work and get DHCP and call manager settings in time before they timeout and fail to register. (beware of the default of 30 sec)

Most of the implementation I have done, I mostly configure this as 10 sec "dot1x timeout tx-period 10"  so the iPhone would fails 30 second till it gets a MAB access (with profiling) and then it would get DHCP and register to Call manager successfully.

Some specific Avaya Phone (Call Centers Models) was failing with this timeout of 10 sec and I have to modify their interfaces to be 5 sec (dot1x timeout tx-period 5) for them to work.

The Point here is if you have Dot1x first in Order and priority then this is fine for all 802.1X capable devices but Non-802.1X capable devices would suffer failure until the dot1x timeout timer expires and gets into MAB and some devices would give up to respond to network or request DHCP accordingly So try to fine tune "dot1x timeout tx-period" to better suit your environment.

Also for some dummy endpoints (with static IP addresses) like Door-Access Cards they would get MAB and won't be reachable until you ping them manually or so and My guess is that because of the dot1x failover time it somehow give up and doesn't respond in time -->  for these kind of endpoints try to configure this under their interfaces "authentication control-direction in"

Vivek Ganapathi
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

ā€Ž05-03-2017 07:32 PM

Thank you for the detailed response. We have do have loads of MAB endpoints. Even I thought the case you mentioned would be the same. Until the 802.1x timeouts, the MAB-only capable endpoints will have to wait till the timeout period expires. So, technically apart from these issues you don't see any other challenge?

Regards

Vivek

0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Vivek Ganapathi

ā€Ž05-07-2017 09:25 AM

Hi Vivek

Mostly the challenges would come from the MAB endpoints, Here are two frustrating examples from real-life field implementations:

1- I have faced some weird endpoints behaviours like some CCTV Cameras which would be authenticated and authorized via MAB and have the correct dACL but it would not be reachable.
  • Even when you remove the Dot1X config from the Switchport, there will be no MAC address being learned on the interface and it would only comes up once the port is open and you issue shut and no shut commands on the interface and in few seconds the MAC address would be learned and once we apply dot1X back it would be authenticated and authorized accordingly.
  • I have no reasonable explanation for this unless these endpoints goes into some idle state for some reasons and something then goes wrong.
    After customer approval I modified the Dot1X and MAB for these Endpoints Switch interfaces to have the order first as MAB and then dot1X and left priority as default.
     authentication order mab dot1x
     authentication priority dot1x mab
  • This is to isolate the dot1x failure time the endpoints have to experience which may cause these weird behaviour.
2- If you have a Wired Guest/Contractor in your environment via CWA (With or Without Posture assessment) and these Guest/Contractos are themselves have Dot1X supplicant enabled into their Laptops (By their own companies)
  • Then they would fail dot1X authentication against your ISE identity stores (ex. AD) and Allowed Protocols, you would see lots of failure in ISE against these endpoints some would be that they are sending protocols not allowed in your list (Like PEAP) and some would be that user is not found in identity store or wrong password.
  • Then these users would get into MAB and then would authenticate via CWA and work just fine.
  • After 15 minutes or so (Dot1X Supplicant dependent Native vs Anyconnect) they would try to authenticate again which would trigger dot1x running state which would disconnect their MAB sessions and once the dot1x supplicant gives up they would get the authentication portal via CWA again.
  • So these users would normally complains that they get disconnected every now and then (randomly like each 5 or 10 or 15 minutes).
  • Another challenge is that some of these user don't have the privilege to disable or deactivate their Dot1x supplicant.
  • So What I proposed for this customer is to disable dot1x completely from the Switch ports for that Guest/Contractors
  • So the config would be as follow (Please note that Only MAB is allowed and  "dot1x pae authenticator" is not configured So any Dot1X is ignored):
 Interface GigabitEthernetX/0/X
 description "Contractors Users who have Dot1X enabled by their Company"
 switchport access vlan X
 switchport mode access
 switchport voice vlan Y
 authentication host-mode multi-domain
 authentication port-control auto
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 ip dhcp snooping limit rate 150
  • Please note that any Corporate users that is part of your organization (ex, have a valid AD credentials  + AD machine account)  would not be able to authenticate if he/she connected to that Switch port as all EAPOL-Start Frames would be ignored by the switch.
  • So these Guest/Contractors user can't roam around the campus wired network and expect to work smoothly fine --> they have to have dedicated desks where the connected switch ports are having these exception otherwise they need to find a way to disable their dot1x supplicant when they visit your campus.

Vivek Ganapathi
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

ā€Ž05-14-2017 09:31 PM

Thanks for the detailed response. This question was raised after we were facing issues with our current configuration of order mab|dotx & priority dot1x|mab.

We were running with the TAC case around this issue & now have been advised this is due to a bug.

Again thanks a lot for responding.

0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Vivek Ganapathi

ā€Ž05-15-2017 03:19 AM

Hi Vivek

Thanks for the rating...Can you please share with us what issues you have faced with your config order mab|dotx & priority dot1x|mab and the Bug ID ...Just for knowledge sharing.

Thanks

0 Helpful
Customers Also Viewed These Support Documents