Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1918
Views
0
Helpful
7
Replies

ISE pushs Profils but switch doesn't change any config

Go to solution
Andy VALHE
Level 1
Level 1

‎12-26-2019 07:18 AM

Hi everyboy,

 

I'm working on ISE since a few months and after a lot of work I begin to have something correct... But I have a issue that I don't understand that's why I need your expertise.

 

My ISE is in 2.4 patch 5

Switchs 3850 in 16.3.5b

PC on windows 8.1 with windows native supplicant 802.1x

 

The computer boot ISE authenticate it with mab before 802.1x, I can see it on ISE live log. Windows supplicant can be a little bit longer so why not but that's not my principal problem.

 

When ISE receveid the right information for 802.1x configuration, nothing happen on the switch configuration with dynamic VLAN. On other switch (same version), sometimes it works perfectly.

 

Do you have any explication or do you need more information ?

 

Cordially,

Anthony

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎01-02-2020 10:32 AM

@Francesco Molino wrote:
How does your interface template looks like.
Can you configure your switch using the following guide:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-int-temp.html

Test it again and let us know

For ISE use this guide

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Otherwise reach out to switching community for more questions

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2019 09:56 PM

Hi

On your switch, are you using ibns 2.0 configuration type? Can you share it please?
When ise authenticates your user using dot1x, can you share ise authentication log result to see what authz is being pushed?
If nothing is applied, can you run some debug radius and debug aaa on your switch to see what's happening?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Andy VALHE
Level 1
Level 1
In response to Francesco Molino

‎12-27-2019 12:13 AM - edited ‎12-27-2019 12:25 AM

Hello Francesco,

 

Thank you to take your time to answer me.

 

I don't use ibns 2.0, I share the configuration of one interface. Keep in mind that Vlan 200 is by default and don't need ACL at this time.

 

interface GigabitEthernet4/0/4

switchport access vlan 200
switchport mode access
switchport voice vlan 216
authentication event server dead action authorize vlan 200
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
no macro auto processing
spanning-tree portfast

!

On the first image, I made result of log ISE (I hidded personnal informations), the authorization profile (It matched).

To understand, Interface template here is ISE-PC-TOTO

 

first.jpg

On the second image, I made Authentication details where you can see dot1x method authentication.

Second.jpg

On last image, I showed the result on the switch. To understand, Interface template here is ISE-PC-OTHER and not ISE-PC-TOTO like the first screen.

ISE-PC-OTHER is the default config if nothing matched.

last.jpg

It seems that the switch didn't accept the Profils pushed by ISE. The voice access is correct with the right configuration by mab. The data access should be dot1x and not mab.

 

If you need others things, don't hesitate.

 

Thanks,

Andy

 

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Andy VALHE

‎12-27-2019 02:47 PM

It appears that the workstation performs a MAB auth before the intended 802.1X happens. I suspect that your Windows supplicant is configured for User Auth (and not Computer Auth). Once the switch has authorised that Endpoint using MAB, it thinks its job is done. Do we expect an EAP session start (from the supplicant) to change all that if one came along? Perhaps this works with CoA only. Have you enabled CoA on the switch ?

 

0 Helpful

Go to solution
Andy VALHE
Level 1
Level 1
In response to Arne Bier

‎12-30-2019 03:15 AM

Hi Arne,

 

I have got Computer Auth on all workstations. It's strange because sometimes everything is correct sometimes no !

 

I just tried the CoA with the " aaa serveur radius dynamic-author command but nothing change even if I shut / no shut the interface.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Andy VALHE

‎12-29-2019 06:31 PM

How does your interface template looks like.
Can you configure your switch using the following guide:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-int-temp.html

Test it again and let us know

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Andy VALHE
Level 1
Level 1
In response to Francesco Molino

‎12-30-2019 03:18 AM

Hello Francesco,

 

My template is just a description for this time so I haven't something special.

 

ibns is different that I wanted/understood in first, what's the real difference or interest ?

 

Thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎01-02-2020 10:32 AM

@Francesco Molino wrote:
How does your interface template looks like.
Can you configure your switch using the following guide:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-int-temp.html

Test it again and let us know

For ISE use this guide

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Otherwise reach out to switching community for more questions

0 Helpful
Customers Also Viewed These Support Documents