cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2591
Views
4
Helpful
11
Replies
islow1303
Beginner

ISE should not use default policy set for dot1x auth!

Hello together,

I have configured a wired LAN authentication and I have fully configured the switches, the policies are according to documentations and everything I could think of seems to be set correctly.

Now the issue is, when I connect my devices (using LAN cables) to the switches, the default policy is being selected (see Screenshot -> Authentication Policy), even though "Radius NAS-PORT-TYPE = Ethernet & Device Type = Device Group Switches (my radius switches)!

Screen Shot 2017-07-03 at 09.51.24.png

Screen Shot 2017-07-03 at 09.44.12.png

Question: How do I disable the default policy or how to ensure that my wired policy is always used for wired dot1x?

1 ACCEPTED SOLUTION

Accepted Solutions

I suggest the following configuration :

  1. The SSP Access wired must have as condition: Network Access: Protocol EQUALS RADIUS
  2. Create a new compound condition like New_Created_Compound_Condition with: Network Access: EapAuthentication Equals EAP-TLS and Certificate: SibjectAlternativeName – DNS Contains your_domain_name
  3. In your Authentication Policy AD_Cert choose as condition (If): New_Created_Compound_Condition ==> Use AD_Cert_User
  4. I suppose that the Certificate Authentication Profile AD_Cert_User is configured like that: Identity Store: [Not applicable] and Certificate Attribute: Subject Alternative Name

Also:

Configure the Authorization Plicy like that: AthZ_Policy_Name if Any and

CERTIFICAT: Subject Alternative Name – DNS  contains “your_domain”

Network Access: AuthenticationMethod Equals X509_PKI

RADIUS: NAS-Poirt-Type Equals ETHERNET

Then: Admin_Wired

I hope that will help.

Best regards

View solution in original post

11 REPLIES 11
B. BELHADJ
Enthusiast

Hi Kadir

The Policy Sets in ISE are like the Service Selection Policy on ACS. The order is very important.

Please place you Policy Set "Access Wired" before the Default Policy Set.

Best regards

Hello Abdollah,

I have moved around the policy set from top to bottom...technically the "Access Wired" Policy set is at the very top, whereas the default policy set is at the bottom (not moveable anyway)...do you have another sugestions?

Kind regards,

Kadir

Hi Kadir

Please upload a screenshot of your Policy Sets on ISE. I can help based on what you have in your configuration.

Best regards

I hope this helps...let me know if required more...

policy set.PNG

I suggest the following configuration :

  1. The SSP Access wired must have as condition: Network Access: Protocol EQUALS RADIUS
  2. Create a new compound condition like New_Created_Compound_Condition with: Network Access: EapAuthentication Equals EAP-TLS and Certificate: SibjectAlternativeName – DNS Contains your_domain_name
  3. In your Authentication Policy AD_Cert choose as condition (If): New_Created_Compound_Condition ==> Use AD_Cert_User
  4. I suppose that the Certificate Authentication Profile AD_Cert_User is configured like that: Identity Store: [Not applicable] and Certificate Attribute: Subject Alternative Name

Also:

Configure the Authorization Plicy like that: AthZ_Policy_Name if Any and

CERTIFICAT: Subject Alternative Name – DNS  contains “your_domain”

Network Access: AuthenticationMethod Equals X509_PKI

RADIUS: NAS-Poirt-Type Equals ETHERNET

Then: Admin_Wired

I hope that will help.

Best regards

The Admin_Wired must be configured like that :

Access Type = ACCESS_ACCEPT

VLAN Tag ID 1 and Name: YOUR_VLAN_NAME

You can also enable the rethentication after 1h (as an example):

Reauthentication Timer: 3600

Maintain Connectivity During Reauthentication RADIUS-Request

This was the right answer!

Thank you, it now does work after creating a new Policy Set and by using some of your suggested method.

However after removing the (Device Type = Device Group Switches) and only setting it to Network Access = Radius & Nas-Port-Type = Ethernet...it started Running again!


Thanks you all for the professional help!

Hi Kadir

I'm happy to know that you are able know to authenticate the users!

Best regards

ldanny
Cisco Employee

If you want to match on dot1x connectivity you need to add the radius attribute


Radius:Service-Type = Framed

Radius Attribute Authentication type:

Framed-User (2) = 802.1X

Call-Check (10) = MAB

Outbound (5) = Wired WebAuth

HTH,

Danny

Hello Danny,

even when I add the Service-Type = Framed it uses the default policy...I have multiple Policy sets however it's only the "Access Wired" which is not being recognized for some reason...(see screenshot)

I would remove radius attributes first and try to match based on your device type only, perhaps even narrow it down to a specific device your endpoint is hanging off of , keep it to a minimum and simple just to make sure you hit the policy set at first.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube