09-15-2016 12:08 AM
Hello,
my customer would like to offload a dot1x request to an external RADIUS, but only after checking that the client is in a specific group of known MAC addresses on the local server.
This is not easily implemented as the proxy is configured inthe authentication policy, before I can actually perform a check on the local database.
I was wondering if anyone has any creative idea on how it would be possible to satisfy the request
Thanks
Solved! Go to Solution.
09-16-2016 12:05 PM
Per internal discussion, this is not possible using proxy. We cannot authenticate via ISE using MAB and then proxy same request to another RADIUS server for a secondary 802.1X auth. I recommend using RADIUS Token to authenticate user in ISE and then use external RADIUS server for authorization only.
To use proxy, you can leverage RADIUS, VSAs, Network Access and Device attributes to determine whether to proxy or to which server to proxy request. You can then process response through local ISE policy for authorization (for example, match on local profile or endpoint ID group). However, you cannot authorize first, and then send to proxy.
Craig
09-16-2016 12:05 PM
Per internal discussion, this is not possible using proxy. We cannot authenticate via ISE using MAB and then proxy same request to another RADIUS server for a secondary 802.1X auth. I recommend using RADIUS Token to authenticate user in ISE and then use external RADIUS server for authorization only.
To use proxy, you can leverage RADIUS, VSAs, Network Access and Device attributes to determine whether to proxy or to which server to proxy request. You can then process response through local ISE policy for authorization (for example, match on local profile or endpoint ID group). However, you cannot authorize first, and then send to proxy.
Craig
09-16-2016 01:57 PM
You may explore IBNS 2.0 for this. ISE can authorize the MAB request with a service template name, and the switch can then clear the session and initiate a new 802.1X session (with a different RADIUS server) on the service-template active status. Haven’t validated this, but a policy something like this could do the trick:
aaa new-model
aaa group server radius mab-servers
server name ise
aaa group server radius 1x-servers
server name non-ise
!
aaa authentication login default group radius
aaa authentication login console none
aaa authentication dot1x default group radius
aaa authentication dot1x mab-servers group mab-servers
aaa authentication dot1x 1x-servers group 1x-servers
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization network 1x-servers group 1x-servers
aaa authorization network mab-servers group mab-servers
aaa authorization auth-proxy default group radius
aaa accounting identity default start-stop group radius
aaa session-id common
!
radius-server dead-criteria time 15 tries 3
!
radius server ise
address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
automate-tester username dummy
key xxxxxx
!
radius server non-ise
address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
automate-tester username dummy
key xxxxxx
!
policy-map type control subscriber ent-access-pol
event session-started match-all
10 class always do-until-failure
10 authenticate using mab aaa authc-list 1x-servers authz-list mab-servers
event template-activated match-all
10 class mab-classified do-all
10 terminate mab
20 authenticate using dot1x aaa authc-list non-ise authz-list non-ise
30 deactivate service-template mab-classified
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
30 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-all mab-classified
match service-template mab-classified
!
service-template mab-classified
description dummy template
tag dummy
!
09-19-2016 12:07 AM
Great, thanks Hari, I will give it a try
Francesca
==========================================================
Francesca Martucci – CISSP # 481718
CONSULTING SYSTEMS ENGINEER.SECURITY SALES
UKI
==========================================================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide