Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
5
Helpful
9
Replies

ISE v2.3 Location base MAB Authentication

Jason Weids
Level 1
Level 1

‎05-14-2018 05:21 AM - edited ‎02-21-2020 10:55 AM

Hi,

 

We are having difficulty setting a policy to authenticate known devices based on location & MAC address in ISE v2.3.

I have created a network device group called "test" which I have my test 3650 switch in & an endpoint identity group called computing which has a few MAC addresses added for testing.

 

My policy set condition is set to use device location "test group" & radius flow type = WiredMAB with the default authentication policy set to use internal endpoints.

 

Here is my interface config;

 

interface GigabitEthernet1/0/2
switchport access vlan 400
switchport mode access
switchport voice vlan 108
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
end

 

 

Below is the AAA config;

 

aaa new-model
!
!
aaa group server radius ISE-RADIUS
server name NPLNX-ISE1
deadtime 15
!
aaa group server tacacs+ ISE-SERVERS
server name NPLNX-ISE1
!
aaa authentication login CON group ISE-SERVERS local
aaa authentication login VTY group ISE-SERVERS local
aaa authentication enable default group ISE-SERVERS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 1 VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 15 VTY group ISE-SERVERS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa authorization network auth-list group ISE-RADIUS
aaa accounting update periodic 10
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-SERVERS
aaa accounting commands 1 default start-stop group ISE-SERVERS
aaa accounting commands 15 default start-stop group ISE-SERVERS
aaa accounting system default start-stop group ISE-RADIUS
!

 

Authentication is not matching the policy or authorising the devices.

 

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000725E807E2B

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

NPSYG01-A-3#

 

Any help appreciated.

 

 

 

Labels:
Preview file
62 KB
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎05-14-2018 05:38 AM

Hi,
Can you provide a screenshot of the ISE logs when authentication/authorization fails please?
0 Helpful

Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 05:44 AM

Hi,

 

We are not getting any authentication fail logs in ISE, I am not sure if the switch & interface config is set right but there is no data in the logs.

 

thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to Jason Weids

‎05-14-2018 05:48 AM

Ok, can you screenshot a successful authentication/authorization just so I can have a look and see what it does match please?

With an endpoint authenticated can you upload the output of "show authentication sessions interface gig 1/0/2" < or whatever interface you are using.

Can you screenshot the authorization policy, only saw the authentication policy section previously.

ta
0 Helpful

Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 05:52 AM

Hi, we have no successful authentication/authorisations in the logs at all accept for TACACS. There is nothing in the RADIUS logs. 

 

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000A45EB4FCC9

Session count = 1

Preview file
57 KB
0 Helpful

Jason Weids
Level 1
Level 1
In response to Jason Weids

‎05-14-2018 05:58 AM

I should add we have no working policies yet as we are working in a test environment & have not deployed across campus yet.
0 Helpful

Rob Ingram
VIP
VIP
In response to Jason Weids

‎05-14-2018 06:02 AM

Ok, so you've not yet got any authentications working?

Can you show the output for "show aaa servers"?
Is dot1x enabled globally "dot1x system-auth-control"
Have you defined in ISE the NAD (the switch ip address) with the RADIUS shared secret?
0 Helpful

Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 06:11 AM

I'm getting no output from the show aaa servers.

 

dot1x system-auth-control is configured globally. The RADIUS shared secret is defined in the network device in ISE.

0 Helpful

Rob Ingram
VIP
VIP
In response to Jason Weids

‎05-14-2018 06:13 AM

In that case what is the configuration of NPLNX-ISE1?

Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 07:12 AM

Thanks for that. I was missing the radius global config. It is now authenticating, matching the policy set & reassigning the VLAN based on the authorisation profile.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents