09-30-2019 05:01 PM
Hi all,
I am trying to implement pilot 802.1x or monitor mode. May I know where in ISE policy & settings I need to configure to ensure "monitor mode" is successful? I wonder where & why the ISE will block even if the switch is configured "monitor mode".
Thanks a lot!!
Solved! Go to Solution.
10-03-2019 08:32 AM
Not true. If a switchport is in "monitor mode" with the "authentication open" command, then even if ISE sends back a deny or "Access-Reject", the switch will ignore that and still allow traffic to pass. The whole point of "monitor mode" is to see what ISE would allow and not allow. So you can continue to fine-tune your ISE policies. So in ISE, you would see a red deny in the Radius Live Logs, but the switch would not block any traffic for that device. The user or device would not be impacted at all! Then once you are comfortable that ISE is doing what it is supposed to, then you can remove the "authentication open" command from the switchports. Only then will the switch enforce what ISE says.
You can put all of your switchports in "monitor mode" right now and deploy ISE with only a deny rule and nothing would be impacted. That is why I recommend doing "monitor mode" on the switch instead of trying to do it within the ISE policies.
09-30-2019 08:22 PM
10-01-2019 05:40 AM
As you look around different documentation, you will see some people say you can do "Monitor Mode" using ISE only by having a default rule with permit access. However, I do not recommend that option at all. Stick with using "Monitor Mode" on the switches and interfaces. This would be the "authentication open" command on each interface. IBNS 2.0 is a little different so check the documents recommended by Francisco.
The reason I don't like using ISE only for "Monitor Mode" is there are other things that can go wrong and if the switch can't talk to ISE, the port is blocked/enforced. But with "authentication open" on the interface, the user will never be impacted unless you apply a pre-auth ACL, which I don't recommend for monitoring.
10-02-2019 09:48 PM
May I check with you even with switches in "monitor mode", the ISE will still block the traffic? I heard ppl saying in monitor mode, ISE will let the switch bypass authentication but ISE will still check authorization policy before it allows the traffic?
Is it true?
Is so wht types of traffic will be affected if it pass authentication BUT doesnt pass thru authorization policy in ISE?
Those wireless AP, printers, door access, venting machine, etc?
Does this means all MAC address of the devices must be ALLOW in ISE authorization policy, even when it is authentication-open/monitor mode?
10-03-2019 08:32 AM
Not true. If a switchport is in "monitor mode" with the "authentication open" command, then even if ISE sends back a deny or "Access-Reject", the switch will ignore that and still allow traffic to pass. The whole point of "monitor mode" is to see what ISE would allow and not allow. So you can continue to fine-tune your ISE policies. So in ISE, you would see a red deny in the Radius Live Logs, but the switch would not block any traffic for that device. The user or device would not be impacted at all! Then once you are comfortable that ISE is doing what it is supposed to, then you can remove the "authentication open" command from the switchports. Only then will the switch enforce what ISE says.
You can put all of your switchports in "monitor mode" right now and deploy ISE with only a deny rule and nothing would be impacted. That is why I recommend doing "monitor mode" on the switch instead of trying to do it within the ISE policies.
10-08-2019 08:18 PM
Hi,
Many many thanks for yr kind explanation.
May I check is it the switch not blocking during monitor mode(no access-session closed) gt anything to do with ISE plus license with those posture compliance,etc feature?
OR with "no access-session closed" configured on every interface WILL put the port in monitor mode(confirm no blocking) regardless any other switch/ISE config?
10-12-2019 06:42 PM
Hi,
To be more specific, there is authentication & authorization policy in ISE.
Can I say that authentication policy will be ignored when switches set monitor mode, but authorization policy still applies?
10-12-2019 07:20 PM
10-13-2019 07:30 AM
06-19-2020 09:58 AM
Although "authentication open" allows traffic to pass; adding dot1x or mab authentication commands under a switch port/interface will add new CPU processes on top of the running which might cause severe damage to the switch.
My advise:
07-03-2020 09:38 PM
How can I check the config if it is configured with “authentication host-mode multi-auth” ?
I cant find multi-auth config , is it by default?
“authentication violation restrict” , how can i check this cmd in config?
07-07-2020 10:11 PM
The default host-mode depends on the hardware/software version of the switch. Most newer versions use a default host-mode of multi-auth.
You can find the default settings using the 'show run all' command.
10-08-2019 11:33 PM
But with "authentication open" on the interface, the user will never be impacted unless you apply a pre-auth ACL, which I don't recommend for monitoring.
The "authentication open" above is refer to monitor mode- CLI "no access-session closed"?
10-09-2019 06:58 AM
That is correct. "no access-session closed" is the same as "authentication open".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide