cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
828
Views
2
Helpful
2
Replies

ISE Wired Guest Fallback Authorization for Non-domain Machines

TerenceLockette
Level 1
Level 1

Hello all,

I have implemented EAP chaining using the AnyConnect NAM module for domain-joined machines which is working as expected.  What is not working is when I attempt to connect a non-domain computer to a port configured for dot1x and mab.  The machine never connects and I don't even see the attempts in the logs.  The non-domain machine does not have AnyConnect installed and would be equivalent to an employee bringing a personal machine into the office and connecting it to the wired network (ie no AnyConnect or Internal Certs).  I feel like I'm missing something but can't figure it out.  Here are some screen shots of my policy set:

terencelockettenercnet_0-1679778217428.png

terencelockettenercnet_1-1679778368202.png

Here is the switchport configuration:

interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable

 

I have played around with the config from ISE and the switch port by changing some settings around to see if I can get it to work but all has failed.  For instance, in ISE, I've tried changing the order of the AuthC and AuthZ rules.  On the switch, I've changed the authentication order and priority parameters around but to no avail.  Any assistance in the right direction would be greatly appreciated.  Feel free to ask for any additional information.

Thanks!

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

On your AuthC rule for MAB, you need to ensure that ISE allows the session to 'fall-through' to the AuthZ Process if the MAC address is not already in the endpoint database. This is done by setting the option for 'If User not found = CONTINUE'

Screenshot 2023-03-27 at 8.34.33 am.png

In your AuthZ Policy, there is little value in having a separate rule for MAB since anything that is not matching your 802.1X rules is going to hit the default. When the Wired Guest use case is deployed, it's common to just set your Guest redirect rule as the result for the Default rule. You would then need an AuthZ rule above it that matches on the Guest flow (and optionally the Remember Me flow) and provides the resulting authorization.

See the ISE Guest Access Prescriptive Deployment Guide for more information on how the Guest flow works and example policies.

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

On your AuthC rule for MAB, you need to ensure that ISE allows the session to 'fall-through' to the AuthZ Process if the MAC address is not already in the endpoint database. This is done by setting the option for 'If User not found = CONTINUE'

Screenshot 2023-03-27 at 8.34.33 am.png

In your AuthZ Policy, there is little value in having a separate rule for MAB since anything that is not matching your 802.1X rules is going to hit the default. When the Wired Guest use case is deployed, it's common to just set your Guest redirect rule as the result for the Default rule. You would then need an AuthZ rule above it that matches on the Guest flow (and optionally the Remember Me flow) and provides the resulting authorization.

See the ISE Guest Access Prescriptive Deployment Guide for more information on how the Guest flow works and example policies.