cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3260
Views
15
Helpful
6
Replies

ISE remediation VLAN 802.1x and MAB

waqas gondal
Level 1
Level 1

Hi All

 

I have currently configured this on each switch port:

authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 8

 

I am planning to add 

authentication event fail retry 5 action authorize vlan X
Will this interrupt the devices that can only do MAB authentication?
 
The goal is for legitimate devices that do 802.1x authentication to get assigned a remediation VLAN if they fail while the VoIP phones connected to the same port are not disrupted. The VoIP phones cannot do 802.1x.
 
Thanks,
Waqas
6 Replies 6

Muhammad Awais Khan
Cisco Employee
Cisco Employee

Hi Waqas,

 

This interface level command for dot1x "authentication event fail action authorize vlan x" is applicable to Dot1x supplicants only. There is a restriction for using this feature that port should be configured in single host mode only.

 

I dont think you can use this in your case since you are using multi-host and having Data & voice configured all together.

 

Reference:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/5700/sec-user-8021x-xe-3se-5700-book/sec-ieee-auth-fail-vlan.pdf

 

Instead of doing that, you can configure the port on same vlan which you want to assign after failed 802.1x authentication if thats your objective.

 

So by default devices will be in the VLAN defined on the interface with " switchport access vlan xx" and can change it to dynamic VLAN downloaded from ISE ( if conifgured in ISE ) once successfully authenticated with 802.1x

Hi Muhammad,

Thanks for your input. Is multi-domain and multi-host the same thing in this configuration?

 

If we have to do it the other way around we have many different switches across different locations with multiple VLANs. Is there a configuration guide on how to do the properly?

 

Kind Regards,

Waqas

Hi Waqas,

 

Multi-host and Mult-domain both seems not applicable choice in your configuriation since auth-lan requires sinle-host mode only.

 

whats your objective ? you want users with failed 802.1x should have restricted access or controlled access right ?

 

there are multiple ways including dynamic acls, dynamic vlans or you can have default ACL defined on the interface with restricted access. The user with failed authentication will stick to default vlan &  ACL. Only successfull authenticated users will bypass the default ACL with the help of dynamic ACL downloaded which can be "permit any" or anything defined as per your policies

Hi Muhammad,


That is correct, if a device fails 802.1x or mab authentication it should only have limited access to the network. This limited access will be to AD server, DHCP, dns, etc. Also we should be able to connect into the remediated PC to troubleshoot without taking authentication off the port.

 

So far we have designed a new network with an ACL and it will be a lot to manage. If a device fails authentication it will be in that VLAN and the switch will restrict it. I’m trying to find the

simplest way to do this. 

 

Thanks,

waqas

See ISE Secure Wired Access Prescriptive Deployment Guide > MAC Limits for a description of Host Modes.

Use of multi-auth is the recommended best practice .

Assuming your VOIP phones are successfully authenticated with MAB, they shouldn't fail and be subject to

authentication event fail retry 5 action authorize vlan X

 

Thanks Thomas, 

 

I will give this a try, hopefully it works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: