04-15-2019 04:28 AM
Would appreciate it if someone could verify the switchport configuration I have for low impact mode. My switch is running denali release. Do you see any issues with the below policy-map and classes? Also what about service-template AUTH_SUCCESS, its empty?
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
service-template CRITICAL_AUTH_ACCESS
vlan 100
!
service-template AUTH_SUCCESS
description Successful authentication
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
!
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_ACCESS
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template AUTH_SUCCESS
event violation match-all
10 class always do-until-failure
10 restrict
on the interface:
dot1x timeout tx-period 10
dot1x max-reauth-req 3
I tried to get as much as I could from the Wired Access Prescriptive Deployment Guide and the older one which I can't see to find online any longer. However there are some class config such as:
class-map type control subscriber match-all DOT1X
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
class-map type control subscriber match-all MAB
class-map type control subscriber match-all DOT1X_TIMEOUT
which are not used in the policy-map (refer to section Configuring and Understanding the IBNS 2.0 Policy in the above link). Are these required?
Solved! Go to Solution.
04-18-2019 04:04 PM
1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
2. 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure..
For Low-Impact mode, you have a pre-auth ACL on interface, so just activating service template for Voice and Data Vlan doesn’t help, you need to have an service template to push “permit ip any any “ ..
3. Refer to the below configuration..
ip access-list extended IPV4_CRITICAL_AUTH_ACL
permit ip any any
service-template DefaultCriticalAccess_SRV_TEMPLATE
access-group IPV4_CRITICAL_AUTH_ACL
service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
Vlan 100
service-template DefaultCriticalVoice_SRV_TEMPLATE
voice vlan
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match authorization-status authorized
match result-type aaa-timeout
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match authorization-status unauthorized
match result-type aaa-timeout
class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL
match authorization-status unauthorized
match result-type success
class-map type control subscriber match-all DOT1X
match method dot1x
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
match result-type method-timeout
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE
match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-all MAB
match method mab
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE
match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPL
policy-map type control subscriber LowImpact-dot1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60
I hope this helps..
04-15-2019 05:08 AM
Hi,
You need to have the following global configurations:
dot1x system-auth-control dot1x critical eapol
aaa group server radius ISE server name ISE01 server name ISE02 ip radius source-interface Vlan254 ! aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa accounting Identity default start-stop group ISE aaa accounting update newinfo periodic 2880
Change the source-interface VLAN as necessary. You can also change the group name if you like.
As for the interface configurations, you'll need these in addition to what you've shared:
authentication periodic authentication timer reauthenticate server / authentication timer reauthenticate <seconds>
access-session port-control auto
Any class-maps not used by IBNS are unnecessary. Sometimes there are some class-maps that can't be deleted, if that's the case then they are harmless.
04-15-2019 07:12 AM
Hi Nadav,
Thanks for the response. I have the rest of the config which should be fine. I was in particular interested in the class-maps and policy-map config.
What about service-template AUTH_SUCCESS, does something need to be configured in it?
04-17-2019 12:07 AM
Well, if you only leave it as a description it won't do anything. Unless you plan on using it for easier readability in debugging.
04-17-2019 01:13 AM
04-17-2019 06:34 AM
I'm not sure why you put it in there to begin with, if you're interested in working according to the prescriptive deployment guide you linked then you should be consistent.
There is an example of a policy-map there for port authentication, it didn't use any such service template.
The policy-map ended with:
event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all event violation match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
You can change the policy-map to suit your needs. No need to add class-maps and service templates you have no intention on using.
04-17-2019 07:55 AM
The prescriptive guide has that service template under event authentication-success, its called "DEFAULT_LINKSEC_POLICY_SHOULD_SECURE", but there is no details on this service-template. And I could not find any reference on cisco or other documentation what is meant to be configured in this service-template. The comment next to it in the prescriptive just says "with successful authentication, activate service-template with full access". I have a pre-auth acl on my dot1x interfaces and access depends on what type of device has authenticated, where a dACL is pushed down or vlan change is done. Hence why its confusing what the authentication-success and its service-template (DEFAULT_LINKSEC_POLICY_SHOULD_SECURE) is meant to do??
The service-template on my config is just called a different name (AUTH_SUCCESS) instead of DEFAULT_LINKSEC_POLICY_SHOULD_SECURE.
04-18-2019 04:04 PM
1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
2. 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure..
For Low-Impact mode, you have a pre-auth ACL on interface, so just activating service template for Voice and Data Vlan doesn’t help, you need to have an service template to push “permit ip any any “ ..
3. Refer to the below configuration..
ip access-list extended IPV4_CRITICAL_AUTH_ACL
permit ip any any
service-template DefaultCriticalAccess_SRV_TEMPLATE
access-group IPV4_CRITICAL_AUTH_ACL
service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
Vlan 100
service-template DefaultCriticalVoice_SRV_TEMPLATE
voice vlan
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match authorization-status authorized
match result-type aaa-timeout
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match authorization-status unauthorized
match result-type aaa-timeout
class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL
match authorization-status unauthorized
match result-type success
class-map type control subscriber match-all DOT1X
match method dot1x
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
match result-type method-timeout
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-any IN_CRITICAL_AUTH_CLOSED_MODE
match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-all MAB
match method mab
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template DefaultCriticalVoice_SRV_TEMPLATE
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH_CLOSED_MODE
match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPL
policy-map type control subscriber LowImpact-dot1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60
I hope this helps..
11-05-2019 07:16 PM
@mnagired wrote:1st, If you using ISE as your AAA server, Concurrent Authentication doesn’t work so having these two auth statement under event session-started doesn’t help..
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
This is not correct. We are using ISE 2.4 with IBNS2 policy and have been using concurrent authentication for several years. Most desktop PC's will pass authentication for MAB immediately with dot1x taking a few seconds longer sometimes. Given dot1x has a higher priority it will override the MAB auth.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide