cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
5
Helpful
9
Replies

ISE v2.3 Location base MAB Authentication

Jason Weids
Beginner
Beginner

Hi,

 

We are having difficulty setting a policy to authenticate known devices based on location & MAC address in ISE v2.3.

I have created a network device group called "test" which I have my test 3650 switch in & an endpoint identity group called computing which has a few MAC addresses added for testing.

 

My policy set condition is set to use device location "test group" & radius flow type = WiredMAB with the default authentication policy set to use internal endpoints.

 

Here is my interface config;

 

interface GigabitEthernet1/0/2
switchport access vlan 400
switchport mode access
switchport voice vlan 108
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
end

 

 

Below is the AAA config;

 

aaa new-model
!
!
aaa group server radius ISE-RADIUS
server name NPLNX-ISE1
deadtime 15
!
aaa group server tacacs+ ISE-SERVERS
server name NPLNX-ISE1
!
aaa authentication login CON group ISE-SERVERS local
aaa authentication login VTY group ISE-SERVERS local
aaa authentication enable default group ISE-SERVERS enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 1 VTY group ISE-SERVERS local if-authenticated
aaa authorization commands 15 VTY group ISE-SERVERS local if-authenticated
aaa authorization network default group ISE-RADIUS
aaa authorization network auth-list group ISE-RADIUS
aaa accounting update periodic 10
aaa accounting dot1x default start-stop group ISE-RADIUS
aaa accounting exec default start-stop group ISE-SERVERS
aaa accounting commands 1 default start-stop group ISE-SERVERS
aaa accounting commands 15 default start-stop group ISE-SERVERS
aaa accounting system default start-stop group ISE-RADIUS
!

 

Authentication is not matching the policy or authorising the devices.

 

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000725E807E2B

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

NPSYG01-A-3#

 

Any help appreciated.

 

 

 

9 REPLIES 9

Rob Ingram
VIP Expert VIP Expert
VIP Expert
Hi,
Can you provide a screenshot of the ISE logs when authentication/authorization fails please?

Hi,

 

We are not getting any authentication fail logs in ISE, I am not sure if the switch & interface config is set right but there is no data in the logs.

 

thanks

Ok, can you screenshot a successful authentication/authorization just so I can have a look and see what it does match please?

With an endpoint authenticated can you upload the output of "show authentication sessions interface gig 1/0/2" < or whatever interface you are using.

Can you screenshot the authorization policy, only saw the authentication policy section previously.

ta

Hi, we have no successful authentication/authorisations in the logs at all accept for TACACS. There is nothing in the RADIUS logs. 

 

NPSYG01-A-3#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 7486.7a2c.5342 N/A UNKNOWN Unauth 00000000000000A45EB4FCC9

Session count = 1

I should add we have no working policies yet as we are working in a test environment & have not deployed across campus yet.

Ok, so you've not yet got any authentications working?

Can you show the output for "show aaa servers"?
Is dot1x enabled globally "dot1x system-auth-control"
Have you defined in ISE the NAD (the switch ip address) with the RADIUS shared secret?

I'm getting no output from the show aaa servers.

 

dot1x system-auth-control is configured globally. The RADIUS shared secret is defined in the network device in ISE.

In that case what is the configuration of NPLNX-ISE1?

Thanks for that. I was missing the radius global config. It is now authenticating, matching the policy set & reassigning the VLAN based on the authorisation profile.

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: