IP Example:1.1.1.166 (Fake IP

Emerson Oliveira · ‎01-12-2016

Cisco ISE 1.3.

Problem:

Some workstations are not doing posture, after observation noticed that the switches are to redirect to the ISE standalone (Secondary), but the primary be active.

At this time turn off the secundary to return to normal operation.

Does anyone have any idea of this problem ?

Port configuration

interface GigabitEthernet X/0/60
switchport access vlan 111
switchport mode access
switchport voice vlan 222
power inline auto max 15400
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!

See attached.

nspasov · ‎01-12-2016

Can you post your aaa and radius configs and also post the posture ACL config.

Thank you for rating helpful posts!

Emerson Oliveira · ‎01-13-2016

Switch Radius

aaa group server radius ISE
server name ISE1
server name ISE2
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
aaa server radius dynamic-author
client 1.1.1.166 server-key 7 143x012E3x3B953Agt32763
client 10.0.0.4 server-key 7 0726x2697Dx6002Bgt45
!
aaa session-id common
clock timezone

Switch RACL

ip access-list extended RACL-POSTURE
deny   icmp any any
deny   udp any any eq domain
deny   udp any eq bootpc any eq bootps
deny   tcp any eq 3389 any
deny   tcp any eq 6129 any
remark ISE
deny   ip any host 1.1.1.166
deny   ip any host 10.0.0.4
ip access-list extended RACL-WEBAUTH
remark DHCP e DNS
deny   udp any any eq domain
deny   udp any eq bootpc any eq bootps
remark Cisco ISE
deny   ip any host 1.1.1.166
deny   ip any host 10.0.0.4
permit ip any any

In cisco ISE I have "Downloadable ACL"

permit ip any any

nspasov · ‎01-14-2016

Can you also post some screen shots of your authorization profiles?

Also, which ACL do you use for the posture redirection?

Emerson Oliveira · ‎01-14-2016

I used 802.1x and checked some switches with radius problem.

Jan 14 11:39:58.343 BRV: %RADIUS-4-RADIUS_DEAD: RADIUS server 1.1.1.166:1812,1813 is not responding.

Jan 14 11:40:03.843 BRV: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.0.0.4:1812,1813 is not responding.

Jan 14 11:40:07.545 BRV: %RADIUS-4-RADIUS_ALIVE: RADIUS server 1.1.1.166:1812,1813 is being marked alive.

Jan 14 12:10:03.930 BRV: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.0.0.4:1812,1813 is being marked alive.

nspasov · ‎01-14-2016

It looks like your servers are bouncing...perhaps you are losing connectivity between the switches and the ISE servers. Also, one of your server's IP is 1.1.1.166? Is that correct?

Also, in your config I see that you have defined your ISE servers:

aaa group server radius ISE
 server name ISE1
 server name ISE2

But I don't see any configurations with regards to what ISE1 and ISE2 actually are. You should have something like this:

radius server ISE_server_1_name

address ipv4 ISE_server_1_ip auth-port 1812 acct-port 1813

automate-tester username ise-test idle-time 10

key Aaa_shared_key

radius server ISE_server_2_name

address ipv4 ISE_server_2_ip auth-port 1812 acct-port 1813

automate-tester username ise-test idle-time 10

key Aaa_shared_key

Emerson Oliveira · ‎01-15-2016

IP Example:1.1.1.166 (Fake IP)

Show run in my Switch

aaa group server radius ISE
server name ISE1
server name ISE2
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
aaa server radius dynamic-author
client 1.1.1.166 server-key 7 XXXXXXXXXXXXXXXXXXXXXXXX
client 10.0.0.4 server-key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa session-id common

!
interface GigabitEthernet X/0/X
switchport access vlan 111
switchport mode access
switchport voice vlan 222
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

ip access-list extended RACL-POSTURE
deny   icmp any any
deny   udp any any eq domain
deny   udp any eq bootpc any eq bootps
deny   tcp any eq 3389 any
deny   tcp any eq 6129 any
remark ISE
deny   ip any host 1.1.1.166
deny   ip any host 10.0.0.4
permit ip any any
ip access-list extended RACL-WEBAUTH
remark DHCP e DNS
deny   udp any any eq domain
deny   udp any eq bootpc any eq bootps
remark Cisco ISE
deny   ip any host 1.1.1.166
deny   ip any host 10.0.0.4
permit ip any any
logging trap warnings
logging origin-id ip
logging source-interface Vlan465
logging host 1.1.1.166 transport udp port 20514
logging host 10.0.0.4 transport udp port 20514

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server deadtime 30
!
radius server ISE1
address ipv4 1.1.1.166 auth-port 1812 acct-port 1813
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
radius server ISE2
address ipv4 10.0.0.4 auth-port 1812 acct-port 1813
key 7 1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Redirect Posture Cisco ISE