Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7296
Views
10
Helpful
13
Replies

Monitor mode pre-requisite in ISE and switch. Will configuring monitor mode in switch block traffic?

Go to solution
getaway51
Level 2
Level 2

‎09-30-2019 05:01 PM

Hi all,

 

I am trying to implement pilot 802.1x or monitor mode. May I know where in ISE policy & settings I need to configure to ensure "monitor mode" is successful? I wonder where & why the ISE will block even if the switch is configured "monitor mode".

 

Thanks a lot!!

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-03-2019 08:32 AM

Not true.  If a switchport is in "monitor mode" with the "authentication open" command, then even if ISE sends back a deny or "Access-Reject", the switch will ignore that and still allow traffic to pass.  The whole point of "monitor mode" is to see what ISE would allow and not allow.  So you can continue to fine-tune your ISE policies.  So in ISE, you would see a red deny in the Radius Live Logs, but the switch would not block any traffic for that device.  The user or device would not be impacted at all!  Then once you are comfortable that ISE is doing what it is supposed to, then you can remove the "authentication open" command from the switchports.  Only then will the switch enforce what ISE says.

You can put all of your switchports in "monitor mode" right now and deploy ISE with only a deny rule and nothing would be impacted.  That is why I recommend doing "monitor mode" on the switch instead of trying to do it within the ISE policies.

View solution in original post

13 Replies 13

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-30-2019 08:22 PM

Hi

Instead of writing a "long" post with explanations, take a look on this Cisco Live doc:
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKSEC-2464.pdf

On the switch, in this doc is written commands starting with authentication. Depending on the model of switches (and/or IOS version) you can use access-session instead.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-01-2019 05:40 AM

As you look around different documentation, you will see some people say you can do "Monitor Mode" using ISE only by having a default rule with permit access.  However, I do not recommend that option at all.  Stick with using "Monitor Mode" on the switches and interfaces.  This would be the "authentication open" command on each interface.  IBNS 2.0 is a little different so check the documents recommended by Francisco.

The reason I don't like using ISE only for "Monitor Mode" is there are other things that can go wrong and if the switch can't talk to ISE, the port is blocked/enforced.  But with "authentication open" on the interface, the user will never be impacted unless you apply a pre-auth ACL, which I don't recommend for monitoring.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-02-2019 09:48 PM

May I check with you even with switches in "monitor mode", the ISE will still block the traffic? I heard ppl saying in monitor mode, ISE will let the switch bypass authentication but ISE will still check authorization policy before it allows the traffic?

Is it true?

Is so wht types of traffic will be affected if it pass authentication BUT doesnt pass thru authorization policy in ISE? 

Those wireless AP, printers, door access, venting machine, etc?

Does this means all MAC address of the devices must be ALLOW in ISE authorization policy, even when it is authentication-open/monitor mode? 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-03-2019 08:32 AM

Not true.  If a switchport is in "monitor mode" with the "authentication open" command, then even if ISE sends back a deny or "Access-Reject", the switch will ignore that and still allow traffic to pass.  The whole point of "monitor mode" is to see what ISE would allow and not allow.  So you can continue to fine-tune your ISE policies.  So in ISE, you would see a red deny in the Radius Live Logs, but the switch would not block any traffic for that device.  The user or device would not be impacted at all!  Then once you are comfortable that ISE is doing what it is supposed to, then you can remove the "authentication open" command from the switchports.  Only then will the switch enforce what ISE says.

You can put all of your switchports in "monitor mode" right now and deploy ISE with only a deny rule and nothing would be impacted.  That is why I recommend doing "monitor mode" on the switch instead of trying to do it within the ISE policies.

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-08-2019 08:18 PM

Hi,

 

Many many thanks for yr kind explanation.

 

May I check is it the switch not blocking during monitor mode(no access-session closed) gt anything to do with ISE plus license with those posture compliance,etc feature?

 

OR with "no access-session closed" configured on every interface WILL put the port in monitor mode(confirm no blocking) regardless any other switch/ISE config?   

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-12-2019 06:42 PM

Hi,

 

To be more specific, there is authentication & authorization policy in ISE.

Can I say that authentication policy will be ignored when switches set monitor mode, but authorization policy still applies?

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-12-2019 07:20 PM

It doesn’t matter either way. No matter what happens with authentication or authorization, the switch will not block traffic. Unless there is an authorization rule that it matches and applies a dACL that restricts some traffic. Other than that, a failure would not impact traffic or anything.
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-13-2019 07:30 AM

Hi,

Many thanks for your reply. May I knw if there is any cisco article talking
about this non blocking when in monitor mode regardless of authentication &
authorization?

FYI, there is no dACL where deny /block traffic i am using.Many thanks
again for yr help!
0 Helpful

Go to solution
AmerAlkhatib88032
Level 1
Level 1
In response to Colby LeMaire

‎06-19-2020 09:58 AM

Although "authentication open" allows traffic to pass; adding dot1x or mab authentication commands under a switch port/interface will add new CPU processes on top of the running which might cause severe damage to the switch.

My advise:

  1. Review the CPU usage, then keep an open eye on CPU when adding authentication commands.
  2. “authentication host-mode multi-auth” should be used so that you have visibility on all behind the switchport as there might be a small/hidden switch connected to the that port and you are not aware of.
  3. “authentication violation restrict” should be used so that the port wont go into error-disable state
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to AmerAlkhatib88032

‎07-03-2020 09:38 PM

How can I check the config if it is configured with “authentication host-mode multi-auth” ?

I cant find multi-auth config , is it by default?

 

“authentication violation restrict” , how can i check this cmd in config? 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎07-07-2020 10:11 PM

The default host-mode depends on the hardware/software version of the switch. Most newer versions use a default host-mode of multi-auth.

You can find the default settings using the 'show run all' command.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-08-2019 11:33 PM

But with "authentication open" on the interface, the user will never be impacted unless you apply a pre-auth ACL, which I don't recommend for monitoring.

 

The "authentication open" above is refer to monitor mode- CLI  "no access-session closed"?

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-09-2019 06:58 AM

That is correct.  "no access-session closed" is the same as "authentication open".

0 Helpful
Customers Also Viewed These Support Documents