Re: ISE v2.3 Location base MAB Authentication

Jason Weids · ‎05-14-2018

Hi,

We are having difficulty setting a policy to authenticate known devices based on location & MAC address in ISE v2.3.

I have created a network device group called "test" which I have my test 3650 switch in & an endpoint identity group called computing which has a few MAC addresses added for testing.

My policy set condition is set to use device location "test group" & radius flow type = WiredMAB with the default authentication policy set to use internal endpoints.

Here is my interface config;

interface GigabitEthernet1/0/2
switchport access vlan 400
switchport mode access
switchport voice vlan 108
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
end

Below is the AAA config;

aaa new-model
!
!
aaa group server radius ISE-RADIUS
server name NPLNX-ISE1
deadtime 15
!
aaa group server tacacs+ ISE-SERVERS
server name NPLNX-ISE1
!
aaa authentication login CON group ISE-SERVERS local
aaa authentication login VTY group ISE-SERVERS local
aaa authentication enable default group ISE-SERVERS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 1 VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 15 VTY group ISE-SERVERS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa authorization network auth-list group ISE-RADIUS
aaa accounting update periodic 10
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-SERVERS
aaa accounting commands 1 default start-stop group ISE-SERVERS
aaa accounting commands 15 default start-stop group ISE-SERVERS
aaa accounting system default start-stop group ISE-RADIUS
!

Authentication is not matching the policy or authorising the devices.

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000725E807E2B

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

NPSYG01-A-3#

Any help appreciated.

Rob Ingram · ‎05-14-2018

Hi,
Can you provide a screenshot of the ISE logs when authentication/authorization fails please?

Jason Weids · ‎05-14-2018

Hi,

We are not getting any authentication fail logs in ISE, I am not sure if the switch & interface config is set right but there is no data in the logs.

thanks

Rob Ingram · ‎05-14-2018

Ok, can you screenshot a successful authentication/authorization just so I can have a look and see what it does match please?

With an endpoint authenticated can you upload the output of "show authentication sessions interface gig 1/0/2" < or whatever interface you are using.

Can you screenshot the authorization policy, only saw the authentication policy section previously.

ta

Jason Weids · ‎05-14-2018

Hi, we have no successful authentication/authorisations in the logs at all accept for TACACS. There is nothing in the RADIUS logs.

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000A45EB4FCC9

Session count = 1

Jason Weids · ‎05-14-2018

I should add we have no working policies yet as we are working in a test environment & have not deployed across campus yet.

Rob Ingram · ‎05-14-2018

Ok, so you've not yet got any authentications working?

Can you show the output for "show aaa servers"?
Is dot1x enabled globally "dot1x system-auth-control"
Have you defined in ISE the NAD (the switch ip address) with the RADIUS shared secret?

Jason Weids · ‎05-14-2018

I'm getting no output from the show aaa servers.

dot1x system-auth-control is configured globally. The RADIUS shared secret is defined in the network device in ISE.

Rob Ingram · ‎05-14-2018

In that case what is the configuration of NPLNX-ISE1?

Jason Weids · ‎05-14-2018

Thanks for that. I was missing the radius global config. It is now authenticating, matching the policy set & reassigning the VLAN based on the authorisation profile.