Solved: ISE / IBNS 2.0 - authentication open

CSCO10662744_2 · ‎10-26-2016

Is anyone doing IBNS 2.0, or is everyone sticking w/ the legacy "authentication" commands that have been available like forever?

We're looking into IBNS 2.0 to take advantage of its critical ACL feature that's not available in the legacy auth-manager style.

When I did a conversion from existing, legacy style to the new IBNS 2.0 style on a 3850, I can't tell which line is the equivalence of the "authentication open" command.
Can someone please point it out to me?

How do we do "authentication open" in the new IBNS 2.0 style?
This is important to our MONITOR & LOW-IMPACT ISE rollout phases.

===============

New style:

policy-map type control subscriber POLICY_Gi1/0/21
event session-started match-all
10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template CRITICAL_AUTH_VLAN_Gi1/0/21
   20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   25 activate service-template CRITICAL-ACCESS
   30 authorize
   40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 40
60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 40
event agent-found match-all
10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
   10 restrict

================

Old style:

interface GigabitEthernet1/0/21
description ISE-TEST
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer restart 40
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10

jan.nielsen · ‎10-26-2016

It looks like "authentication open" is now default, and as such not shown in the new style config.

access-session closed

Example:

Device(config-if)# access-session closed

Prevents preauthentication access on this port.

The port is set to open access by default.

http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html

View solution in original post

jan.nielsen · ‎10-26-2016

From the IBNS 2.0 GUIDE :

"Two key changes to notice after moving on to the new-style configurations are (1) the ‘authentication’ commands will be replaced with commands starting with ‘access-session’ keyword"

So i guess this would now be a "access-session" command on the interface.

CSCO10662744_2 · ‎10-26-2016

Thanks but I don't see anything that would imply the "authentication open" command in the new interface config:

Switch#sh derived-config interface gi1/0/21
Building configuration...

Derived configuration : 481 bytes
!
interface GigabitEthernet1/0/21
description ISE-TEST
switchport mode access
switchport nonegotiate
switchport voice vlan 25
ip access-group ACL-DEFAULT in
no logging event link-status
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_Gi1/0/21
service-policy input QOS-INPUT
service-policy output QOS-OUTPUT

jan.nielsen · ‎10-26-2016

It looks like "authentication open" is now default, and as such not shown in the new style config.

access-session closed

Example:

Device(config-if)# access-session closed

Prevents preauthentication access on this port.

The port is set to open access by default.

http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html

CSCO10662744_2 · ‎10-26-2016

Thank you!

jcatanzaro · ‎02-26-2024

Yes I realize this topic is old but it was most relevant to what i'm seeing right now.

So here's a (potentially stupid) question that i can't seem to find the answer to. If both access-session closed and a preauth ACL are configured on the port, what's the result?

I have this situation in a couple places in my environment and it *seems* as if the preauth ACL supercedes access-session closed, but I can't confirm that for 100% certain.

jcatanzaro · ‎02-27-2024

for anyone looking at this in 2024, according to TAC: access-session closed overrides a preauth ACL and only allows EAPOL traffic. If, like me, you're trying to run in enforcement mode but you have a lot of MAB clients but don't want the unfettered preauth access, you need to remove AC closed and implement a more restrictive preauth ACL. It doesn't work like ibns 1.0 where you remove 'authentication open' and apply your preauth ACL.