Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
1
Helpful
3
Replies

proxy dot1x request to third party RADIUS

Go to solution
martucci
Cisco Employee
Cisco Employee

‎09-15-2016 12:08 AM

Hello,

my customer would like to offload a dot1x request to an external RADIUS, but only after checking that the client is in  a specific group of known MAC addresses on the local server.

This is not easily implemented as the proxy is configured inthe authentication policy, before I can actually perform a check on the local database.

I was wondering if anyone has any creative idea on how it would be possible to satisfy the request

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎09-16-2016 12:05 PM

Per internal discussion, this is not possible using proxy.  We cannot authenticate via ISE using MAB and then proxy same request to another RADIUS server for a secondary 802.1X auth.   I recommend using RADIUS Token to authenticate user in ISE and then use external RADIUS server for authorization only.

To use proxy, you can leverage RADIUS, VSAs, Network Access and Device attributes to determine whether to proxy or to which server to proxy request.  You can then process response through local ISE policy for authorization (for example, match on local profile or endpoint ID group).  However, you cannot authorize first, and then send to proxy.

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎09-16-2016 12:05 PM

Per internal discussion, this is not possible using proxy.  We cannot authenticate via ISE using MAB and then proxy same request to another RADIUS server for a secondary 802.1X auth.   I recommend using RADIUS Token to authenticate user in ISE and then use external RADIUS server for authorization only.

To use proxy, you can leverage RADIUS, VSAs, Network Access and Device attributes to determine whether to proxy or to which server to proxy request.  You can then process response through local ISE policy for authorization (for example, match on local profile or endpoint ID group).  However, you cannot authorize first, and then send to proxy.

Craig

0 Helpful

Go to solution
hariholla
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-16-2016 01:57 PM

You may explore IBNS 2.0 for this. ISE can authorize the MAB request with a service template name, and the switch can then clear the session and initiate a new 802.1X session (with a different RADIUS server) on the service-template active status. Haven’t validated this, but a policy something like this could do the trick:

aaa new-model

aaa group server radius mab-servers

server name ise

aaa group server radius 1x-servers

server name non-ise

!

aaa authentication login default group radius

aaa authentication login console none

aaa authentication dot1x default group radius

aaa authentication dot1x mab-servers group mab-servers

aaa authentication dot1x 1x-servers group 1x-servers

aaa authorization exec default local

aaa authorization network default group radius

aaa authorization network 1x-servers group 1x-servers

aaa authorization network mab-servers group mab-servers

aaa authorization auth-proxy default group radius

aaa accounting identity default start-stop group radius

aaa session-id common

!

radius-server dead-criteria time 15 tries 3

!

radius server ise

address ipv4 172.20.254.4 auth-port 1645 acct-port 1646

automate-tester username dummy

key xxxxxx

!

radius server non-ise

address ipv4 172.20.254.8 auth-port 1645 acct-port 1646

automate-tester username dummy

key xxxxxx

!

policy-map type control subscriber ent-access-pol

event session-started match-all

  10 class always do-until-failure

   10 authenticate using mab aaa authc-list 1x-servers authz-list mab-servers

event template-activated match-all

  10 class mab-classified do-all

   10 terminate mab

   20 authenticate using dot1x aaa authc-list non-ise authz-list non-ise

   30 deactivate service-template mab-classified

event authentication-failure match-first

  10 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authentication-restart 60

  20 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  30 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x priority 10

!

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!

class-map type control subscriber match-all mab-classified

match service-template mab-classified

!

service-template mab-classified

description dummy template

tag dummy

!

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to hariholla

‎09-19-2016 12:07 AM

Great, thanks Hari, I will give it a try

Francesca

==========================================================

Francesca Martucci – CISSP # 481718

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

UKI

==========================================================

0 Helpful
Customers Also Viewed These Support Documents