cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
0
Helpful
4
Replies

Issue Handling Dot1x Failures with CPL

paul
Level 10
Level 10

I am having a strange issue that I can't explain why CPL is not handling correctly.  We are rolling out ISE in closed mode with CPL.  If the devices happens to have the Wired Auth service enabled the device will briefly get let on with my MAB catch all rule, but then Dot1x will fail and the device will get blocked.  The client is not trusting the ISE server which is expected as we haven't rolled out any GPO policies yet.

So the client sees this:

Windows Cert Prompt.png

If the client hits "Connect" the switch will stop Dot1x as expected and the device will stay on the network via my MAB catch all rule. 

If the client hits "Don't connect", hits the X to close out the window or doesn't respond the prompt the switch auth will initially look like this:

SC-A29-A116#show access-session int gig 2/13 det

            Interface:  GigabitEthernet2/13

          MAC Address:  a44c.c8e9.33b8

         IPv6 Address:  Unknown

         IPv4 Address:  10.12.29.107

            User-Name:  A4-4C-C8-E9-33-B8

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  in

      Session timeout:  65000s (server), Remaining: 64970s

       Timeout action:  Reauthenticate

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

    Common Session ID:  0A0C0074000003C952FB4EAC

      Acct Session ID:  0x0000B761

               Handle:  0x310002CA

       Current Policy:  ISE_AUTH


Local Policies:


Server Policies:

              ACS ACL:  xACSACLx-IP-Wired_Monitor_Hostname_Exists_In_AD-5adf88eb



Method status list:

       Method           State


       dot1x            Running

       mab              Stopped


The MAB rule is still in effect and I can ping the device. Eventually the Dot1x will fail and it goes to this:


            Interface:  GigabitEthernet2/13

          MAC Address:  a44c.c8e9.33b8

         IPv6 Address:  Unknown

         IPv4 Address:  10.12.29.107

            User-Name:  host/xyx.company.com

               Status:  Unauthorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  in

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

    Common Session ID:  0A0C0074000003C752F8FE5C

      Acct Session ID:  0x0000B749

               Handle:  0x270002C8

       Current Policy:  ISE_AUTH



Local Policies:


Method status list:

       Method           State


       dot1x            Authc Failed

       mab              Stopped

At this point the user has no access to the network because we are in closed mode.    The switch correctly logs the Auth fail:

May 18 14:08:24.380 EDT: %DOT1X-5-FAIL: Authentication failed for client (a44c.c8e9.33b8) on Interface Gi2/13 AuditSessionID 0A0C0074000003C752F8FE5C

My CPL accounts for Dot1x fail but it doesn't seem to be kicking in after this type of Dot1x fail:

!

!***CPL***

!

ip access-list extended PERMIT_ANY

  permit ip any any

!

service-template CRITICAL_ACCESS

  description Apply when ISE is unavailable to permit traffic and allow voice vlan

  access-group PERMIT_ANY

  voice vlan

!

class-map type control subscriber match-all AAA_DOWN_UNAUTHD_HOST

  match result-type aaa-timeout

  match authorization-status unauthorized

!

class-map type control subscriber match-all AAA_DOWN_AUTHD_HOST

  match result-type aaa-timeout

  match authorization-status authorized

!

class-map type control subscriber match-all DOT1X_FAILED

  match method dot1x

  match result-type method dot1x authoritative

!

class-map type control subscriber match-any IN_CRITICAL_AUTH

  match activated-service-template CRITICAL_ACCESS

!

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

  match activated-service-template CRITICAL-ACCESS

!

policy-map type control subscriber ISE_AUTH

  event session-started match-all

    10 class always do-all

      10 authenticate using dot1x priority 10

      20 authenticate using mab priority 20

  event violation match-all

    10 class always do-all

      10 restrict

  event agent-found match-all

    10 class always do-all

  10 terminate mab

      20 authenticate using dot1x priority 10

  event authentication-failure match-first

    10 class AAA_DOWN_UNAUTHD_HOST do-until-failure

  10 activate service-template CRITICAL_ACCESS

  20 authorize

  30 pause reauthentication

  40 terminate dot1x

  50 terminate mab

20 class AAA_DOWN_AUTHD_HOST do-until-failure

  10 pause reauthentication

  20 authorize

    30 class DOT1X_FAILED do-all

  10 terminate dot1x

      20 authenticate using mab priority 20

  event aaa-available match-all

10 class IN_CRITICAL_AUTH do-until-failure

  10 clear-session

20 class NOT_IN_CRITICAL_AUTH do-until-failure

  10 resume reauthentication

The Dot1x fail definitely works if the client is not running Dot1x at all, but doesn't seem to work in this case.

Is this working as designed?  The legacy ISE template doesn't have this issue.

I am probably going to open a TAC case, but wanted to post here as well.

4 Replies 4

kvenkata1
Cisco Employee
Cisco Employee

Hi Paul,

On the switch C3PL configuration - Did you configure it from scratch or converted from a working IBNS 1.0 configuration? If it is the former, I would try the conversion option as documented in page 2.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/xe-3se/3850/ibns-xe-3se-3850-book/san-cntrl-pol.pdf

If you have already tried the conversion option please work with TAC for a resolution.

- Krish

It is from scratch starting with the original 3850 CPL document and adding in components of IBNS 2.0. These are all fresh installs that we converted to new-style before any configuration was applied.

Ahh I think I figured it out and probably something that should be added to the IBNS template. The switch was treating it as a dot1x timeout and not triggering the failure. I had to add this:

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method-timeout

!

policy-map type control subscriber ISE_AUTH

event session-started match-all

10 class always do-all

10 authenticate using dot1x priority 10

20 authenticate using mab priority 20

event violation match-all

10 class always do-all

10 restrict

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-failure match-first

10 class AAA_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template CRITICAL_ACCESS

20 authorize

30 pause reauthentication

40 terminate mab

50 terminate dot1x

20 class AAA_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

20 authorize

30 class DOT1X_FAILED do-all

10 terminate dot1x

20 authenticate using mab priority 20

40 class DOT1X_TIMEOUT do-all

10 terminate dot1x

20 authenticate using mab priority 20

I am going to do more testing but that seemed to work nicely.

Great! I am glad it worked out. Please reach to TAC if you need any further assistance.

- Krish