05-18-2018 11:19 AM
I am having a strange issue that I can't explain why CPL is not handling correctly. We are rolling out ISE in closed mode with CPL. If the devices happens to have the Wired Auth service enabled the device will briefly get let on with my MAB catch all rule, but then Dot1x will fail and the device will get blocked. The client is not trusting the ISE server which is expected as we haven't rolled out any GPO policies yet.
So the client sees this:
If the client hits "Connect" the switch will stop Dot1x as expected and the device will stay on the network via my MAB catch all rule.
If the client hits "Don't connect", hits the X to close out the window or doesn't respond the prompt the switch auth will initially look like this:
SC-A29-A116#show access-session int gig 2/13 det
Interface: GigabitEthernet2/13
MAC Address: a44c.c8e9.33b8
IPv6 Address: Unknown
IPv4 Address: 10.12.29.107
User-Name: A4-4C-C8-E9-33-B8
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 65000s (server), Remaining: 64970s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A0C0074000003C952FB4EAC
Acct Session ID: 0x0000B761
Handle: 0x310002CA
Current Policy: ISE_AUTH
Local Policies:
Server Policies:
ACS ACL: xACSACLx-IP-Wired_Monitor_Hostname_Exists_In_AD-5adf88eb
Method status list:
Method State
dot1x Running
mab Stopped
The MAB rule is still in effect and I can ping the device. Eventually the Dot1x will fail and it goes to this:
Interface: GigabitEthernet2/13
MAC Address: a44c.c8e9.33b8
IPv6 Address: Unknown
IPv4 Address: 10.12.29.107
User-Name: host/xyx.company.com
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A0C0074000003C752F8FE5C
Acct Session ID: 0x0000B749
Handle: 0x270002C8
Current Policy: ISE_AUTH
Local Policies:
Method status list:
Method State
dot1x Authc Failed
mab Stopped
At this point the user has no access to the network because we are in closed mode. The switch correctly logs the Auth fail:
May 18 14:08:24.380 EDT: %DOT1X-5-FAIL: Authentication failed for client (a44c.c8e9.33b8) on Interface Gi2/13 AuditSessionID 0A0C0074000003C752F8FE5C
My CPL accounts for Dot1x fail but it doesn't seem to be kicking in after this type of Dot1x fail:
!
!***CPL***
!
ip access-list extended PERMIT_ANY
permit ip any any
!
service-template CRITICAL_ACCESS
description Apply when ISE is unavailable to permit traffic and allow voice vlan
access-group PERMIT_ANY
voice vlan
!
class-map type control subscriber match-all AAA_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all AAA_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_ACCESS
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL-ACCESS
!
policy-map type control subscriber ISE_AUTH
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 terminate mab
20 authenticate using dot1x priority 10
event authentication-failure match-first
10 class AAA_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_ACCESS
20 authorize
30 pause reauthentication
40 terminate dot1x
50 terminate mab
20 class AAA_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_FAILED do-all
10 terminate dot1x
20 authenticate using mab priority 20
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
The Dot1x fail definitely works if the client is not running Dot1x at all, but doesn't seem to work in this case.
Is this working as designed? The legacy ISE template doesn't have this issue.
I am probably going to open a TAC case, but wanted to post here as well.
05-18-2018 02:41 PM
Hi Paul,
On the switch C3PL configuration - Did you configure it from scratch or converted from a working IBNS 1.0 configuration? If it is the former, I would try the conversion option as documented in page 2.
If you have already tried the conversion option please work with TAC for a resolution.
- Krish
05-18-2018 03:20 PM
It is from scratch starting with the original 3850 CPL document and adding in components of IBNS 2.0. These are all fresh installs that we converted to new-style before any configuration was applied.
05-18-2018 03:54 PM
Ahh I think I figured it out and probably something that should be added to the IBNS template. The switch was treating it as a dot1x timeout and not triggering the failure. I had to add this:
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method-timeout
!
policy-map type control subscriber ISE_AUTH
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 terminate mab
20 authenticate using dot1x priority 10
event authentication-failure match-first
10 class AAA_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_ACCESS
20 authorize
30 pause reauthentication
40 terminate mab
50 terminate dot1x
20 class AAA_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_FAILED do-all
10 terminate dot1x
20 authenticate using mab priority 20
40 class DOT1X_TIMEOUT do-all
10 terminate dot1x
20 authenticate using mab priority 20
I am going to do more testing but that seemed to work nicely.
05-21-2018 09:00 AM
Great! I am glad it worked out. Please reach to TAC if you need any further assistance.
- Krish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide