07-08-2013 02:24 AM - edited 03-10-2019 08:37 PM
Hi All,
I would like to know that, what should be the best practice configuration for following points,
1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
Here is the port configuration and pre-auth ACL which I am using in my network,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
*****************************************
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks & Regards,
Mujeeb
Solved! Go to Solution.
07-08-2013 08:42 PM
Hello
About question 1, since you're using "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.
But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"
About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.
Please rate if this helps.
07-09-2013 04:34 AM
See replies inline:
authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?
If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it is not notified of the actual authentication failure. If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
The above command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
This can be used to reinitialize an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting server becomes available.
Hope it helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-13-2013 12:06 PM
I guess you wanted to talk about this command
authentication event server dead action authorize vlan 30
However, you mentioned the below mentioned command in you last post
authentication event fail action authorize vlan 30
If you've not configured critical vlan then you can remove this command:
authentication event server dead action authorize vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.
~BR
Jatin Katyal
**Do rate helpful posts**
07-08-2013 05:01 AM
1) for that you have a "critical auth vlan" that you can assign in case that no RADIUS-server is available. You already have that in your config.
authentication event server dead action authorize vlan XXX
2) My default-acl is typically not that permissive as yours:
ip access-list extended PORT-DEFAULT-ACL
! allow DHCP
permit udp any eq bootpc any bootps
! allow dns to DNS-server
permit udp any host 10.10.10.1 eq 53
permit udp any host 10.10.10.2 eq 53
! PING is fine
permit icmp any any echo
! PXE is ok
permit udp any any eq tftp
with your ACL, an unauthenticated user already has full access to your domain-controller which is far too much in my opinion.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-11-2015 02:38 PM
Hello Karsten,
please, in your enviroment, without the access to domain controller before authentication, what happens when an user try to access a computer for first time?
Do you use Anyconnect NAM as supplicant?
Regards.
07-08-2013 08:42 PM
Hello
About question 1, since you're using "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.
But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"
About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.
Please rate if this helps.
07-09-2013 03:00 AM
Hi,
I am using following configuration on the ports,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks
07-09-2013 04:34 AM
See replies inline:
authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?
If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it is not notified of the actual authentication failure. If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
The above command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
This can be used to reinitialize an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting server becomes available.
Hope it helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-11-2013 01:05 AM
Hi,
So I should remove following command from ports as we don't have critical VLAN in our setup ?
authentication event fail action authorize vlan 30
Kindly note that vlan 30 is the actual data vlan.
**********************
For the "authentication event fail action authorize vlan 30" command port will have vlan 30 if ISE node become unreachable but we have following ACL on all ports so users will get very limited access,
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
So, should I modify this ACL or completely remove ?
Thanks & Regards,
Mujeeb
07-13-2013 11:16 AM
Dear All,
Kindly guide on the queries which I posted in the latest response.
Thanks
07-13-2013 12:06 PM
I guess you wanted to talk about this command
authentication event server dead action authorize vlan 30
However, you mentioned the below mentioned command in you last post
authentication event fail action authorize vlan 30
If you've not configured critical vlan then you can remove this command:
authentication event server dead action authorize vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.
~BR
Jatin Katyal
**Do rate helpful posts**
02-12-2015 04:56 AM
Hello there,
I got the same doubt.
I can use authentication event server dead action authorize vlan XX, but If I am using pre authentication ACL the access will be limited, isn't it?
Regards.
05-11-2015 11:44 PM
Absolutely! Such a disappointing solution. You'll notice this question is skirted around. You can use EEM scripts to add lines to the pre auth acl but it really feels like a bodge. Obviously you'll have to remove these lines too. Feature request needed to be able to specify an acl which will be applied when critical vlan is applied. Cisco need to start listening and start thinking.
08-06-2014 02:59 AM
Hello,
We have an issue with the "authentication event server alive action reinitialize".
- The critical auth (if server dead) works fine > the users move to vlan 43
- authentication event server alive action reinitialize: when the ISE is back to alive, the 802.1X process is reinitialized, the users get their Vlan and Dacl (dynamic vlan et acl). The problem is that it seems they dont make an IP DHCP request, and they cant communicate in their Vlan - if we unplug/plug cable (or shut/no shut) the port, the process works fine, and they get an ip address.
interface FastEthernet0/12
description Port-NAC
switchport access vlan 43
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 43
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-req 1
macro description Port-NAC
spanning-tree portfast
spanning-tree bpduguard enable
end
Port with DEAD server > see the screenshot
Reintialize > see the screenshot / we will notice the Vlan and Dacl are OK / but no IP ADDRESS.
If you have an idea...
Thanks
02-15-2015 10:15 AM
It is not a big risk if the default port ACL seems too permissive as long as you make sure ISE authorization rules assign a proper dynamic ACL by all means.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide