Solved: NAC open authentication query

craiglebutt · ‎08-20-2020

HI

Started to looking at NAC again.

I've dropped the config on to a switch which used in my lab.

This has a Openspace IP Phone plugged in to it.

I drop the config on to the port with open authentication, I can see the log that the phone connects to voice vlan and this is confirmed on the ISE log.

If this is in open auth it should connect the same as it did in switchport as before the config dropped on . the ISE Auth Policy is set to permit all while I configure a policy for it ?

But the phone gets an IP, but doesn't talk to the servers.

Unfortunately working from a distance on this, have to rely on good will of someone onsite to keep checking.

any help much appreicated

Colby LeMaire · ‎08-20-2020

At a quick glance, your configuration looks fine. With "authentication open", the only thing that could possibly be restricting traffic flow is if there is a default/pre-auth ACL configured on the port or if ISE is pushing down a dACL that restricts traffic. Sometimes ISE will show a good authentication but the switch is not able to apply the policy and will keep the port as not authorized. This can happen if you are pushing a VLAN assignment but the VLAN doesn't exist on the switch. Or if your dACL has errors in it that the switch doesn't like. So to be sure, you need to do a "show auth sessions int gx/y detail" and verify the output. Should show "Authorized" and if any dACL's are applied. If you are using a dACL (even a permit all), then IP Device Tracking will need to know the client's IP address. So verify that the IP address shows up in the show output as well. And for true monitor mode, don't use a default/pre-auth ACL unless it is a permit ip any any.

View solution in original post

thomas · ‎08-20-2020

Review the section Monitoring Authentications with Open Access in the ISE Secure Wired Access Prescriptive Deployment Guide including Monitoring Authentication Sessions to see what ISE is authorizing.

Then confirm the authorized state on the switch with

show authentication session interface Gig x/y/z details

This should not be an issue in this scenario but our best practice timer values are very different than yours.

 dot1x timeout tx-period 7
 dot1x max-reauth-req 3

Colby LeMaire · ‎08-20-2020

At a quick glance, your configuration looks fine. With "authentication open", the only thing that could possibly be restricting traffic flow is if there is a default/pre-auth ACL configured on the port or if ISE is pushing down a dACL that restricts traffic. Sometimes ISE will show a good authentication but the switch is not able to apply the policy and will keep the port as not authorized. This can happen if you are pushing a VLAN assignment but the VLAN doesn't exist on the switch. Or if your dACL has errors in it that the switch doesn't like. So to be sure, you need to do a "show auth sessions int gx/y detail" and verify the output. Should show "Authorized" and if any dACL's are applied. If you are using a dACL (even a permit all), then IP Device Tracking will need to know the client's IP address. So verify that the IP address shows up in the show output as well. And for true monitor mode, don't use a default/pre-auth ACL unless it is a permit ip any any.

craiglebutt · ‎08-21-2020

thanks you for your reply's, very useful

cheers