Solved: Monitor mode still applies a VLAN assignement

MICHAEL HORNE · ‎02-05-2024

Hello All,

My understanding of Monitor Mode is that the switch (in our case)makes the authentication request to the Cisco ISE, but it ignores the result and provides access to the network.

We had the experience that when a policy was created that returned an REQUEST-ACCEPT that also assigned a VLAN, even in monitor mode the port was changed to the to the VLAN that was assigned in the response. This was unexpected, as we assumed that Monitor Mode would ignore the response from the Cisco ISE.

Is it the expected behaviour in Monitor Mode that the VLAN assignment is still done?

Many thanks,

Michael

Arne Bier · ‎02-05-2024

Yes absolutely. Monitor Mode just means that the minimum that is required to get the Session Authorized in an Access-Accept. So that is the normal way that people do Monitor Mode - the ISE Authorization profiles are super simple - just return Access-Accept.

But here's the kicker. In addition to the above, you can optionally return additional attributes, and the switch with honour them (as you discovered). This is correct and expected behaviour. I always return a dACL (permit ip any any) even in Monitor Mode, as a CYA manoeuvre - imagine someone accidentally configures a pre-auth ACL on the interface on a switch that is mean for Monitor Mode? Don't laugh ... it happens. Then no worries, because the dACL that I return in my ISE Authorization for Monitor Mode kills that pre-auth ACL and installs the dACL. It's a bit of extreme caution, but it's how I like to roll.

Assigning VLANs dynamically via ISE is no different. And you can also set session timeout etc. in Monitor Mode to see how they behave. More often than not, you would NOT do these things, because Monitor Mode is meant as a happy exploration phase of your endpoints - and you don't want to upset any users.

View solution in original post

Arne Bier · ‎02-05-2024

Yes absolutely. Monitor Mode just means that the minimum that is required to get the Session Authorized in an Access-Accept. So that is the normal way that people do Monitor Mode - the ISE Authorization profiles are super simple - just return Access-Accept.

But here's the kicker. In addition to the above, you can optionally return additional attributes, and the switch with honour them (as you discovered). This is correct and expected behaviour. I always return a dACL (permit ip any any) even in Monitor Mode, as a CYA manoeuvre - imagine someone accidentally configures a pre-auth ACL on the interface on a switch that is mean for Monitor Mode? Don't laugh ... it happens. Then no worries, because the dACL that I return in my ISE Authorization for Monitor Mode kills that pre-auth ACL and installs the dACL. It's a bit of extreme caution, but it's how I like to roll.

Assigning VLANs dynamically via ISE is no different. And you can also set session timeout etc. in Monitor Mode to see how they behave. More often than not, you would NOT do these things, because Monitor Mode is meant as a happy exploration phase of your endpoints - and you don't want to upset any users.

Aref Alsouqi · ‎02-06-2024

I agree with @Arne Bier, think about monitor mode as a phase that would allow you to have visibility of what's going on with the endpoints that would authenticate against ISE, whether doing dot1x or MAB. If there are endpoints that are misconfigured then they wouldn't match any of the more specific rules and they would be allowed access to the network. However, if any of those endpoints should match an authorization rule, then the authorization profile applied to that rule will be applied to those sessions.