cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3116
Views
25
Helpful
11
Replies

Use authentication violation shutdown but not shutting down the port

albertofdez
Level 1
Level 1

Hi,

I am using MAB on a port together with the authentication violation shutdown command, but when I connect a device with a MAC that does not belong to any group, Cisco ISE denies access, but the port on the switch remains connected.

If I do a show interfaces status on the switch the port should be err-disabled, but it is still connected.

Shouldn't it work the same way as the switchport port-security violation shutdown command and set the port to err-disabled?

Thanks.

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

I don't have the authoritative answer on this, but a failed authentication is not a violation - and therefore the "violation" logic would not be executed. I would like someone to correct me if I am wrong, but a session violation is an event where the maximum number of allowed MAC addresses has been authorized on a port, thus causing either a notification, or a shutdown.  

In my experience of using mult-domain host mode, the port will automatically err-disable if there is more then 2 MAC addresses in the DATA domain (no C3PL or legacy "authentication violation .." logic required).

If anyone has more information on what exactly a session violation is, please share here.

View solution in original post

Hi @albertofdez and @Arne Bier 

 take the following example:

interface FastEthernet0/1
switchport access vlan 10
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
end

 if I connect a TIP and a Notebook on Fa0/1:

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000001
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000002
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab

but now, I will change my configuration to:

interface FastEthernet0/1
authentication host-mode multi-domain

in other words, one Voice and one Data (only):

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is restricted
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x UNKNOWN Running 000000000000000000000003
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000004

if I change again my configuration to:

interface FastEthernet0/1
authentication violation shutdown

then

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is shutdown
Client list: empty

Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab

#show interfaces Fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
...

 

Hope this helps !!!

View solution in original post

11 Replies 11

Arne Bier
VIP
VIP

I don't have the authoritative answer on this, but a failed authentication is not a violation - and therefore the "violation" logic would not be executed. I would like someone to correct me if I am wrong, but a session violation is an event where the maximum number of allowed MAC addresses has been authorized on a port, thus causing either a notification, or a shutdown.  

In my experience of using mult-domain host mode, the port will automatically err-disable if there is more then 2 MAC addresses in the DATA domain (no C3PL or legacy "authentication violation .." logic required).

If anyone has more information on what exactly a session violation is, please share here.

michael.burke
Level 1
Level 1

Would you post the interface configuration and possibly show auth session interface if possible.  Is this deployment in closed mode or maybe low impact open with a pre auth acl?

Hi @albertofdez and @Arne Bier 

 take the following example:

interface FastEthernet0/1
switchport access vlan 10
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
end

 if I connect a TIP and a Notebook on Fa0/1:

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000001
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000002
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab

but now, I will change my configuration to:

interface FastEthernet0/1
authentication host-mode multi-domain

in other words, one Voice and one Data (only):

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is restricted
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x UNKNOWN Running 000000000000000000000003
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000004

if I change again my configuration to:

interface FastEthernet0/1
authentication violation shutdown

then

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is shutdown
Client list: empty

Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab

#show interfaces Fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
...

 

Hope this helps !!!

thanks @Marcelo Morais - the explanation was very clear. As mentioned in my earlier response, I have experienced this behaviour in my IBNS 2.0 configs where the violation logic is expressed in C3PL language - but what I found strange is that when I tested multi-domain and caused an intentional violation, I got the err-disable by default, and I did not need to specify any C3PL commands - it seems that the default action in IBNS 2.0 for violation is "shutdown". I will retest one of these days to confirm.

 

I guess the overall point to @albertofdez is that a violation is not caused when authentication fails. A violation is something that happens when you break the rules about how many MAC addresses are allowed to be authenticated. In multi-domain this is obvious (1 voice, 1 data) - @Marcelo Morais in multi-host, do you know how to configure the switch port to set an arbitrary limit to say, 3 MAC addresses to cause the violation?

Hi @Arne Bier and @albertofdez ,

 I tried the multi-host option, after the following change:

interface FastEthernet0/1
 authentication host-mode multi-host

then

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000005
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
3 0 dot1x
2 1 mab

#show ip device tracking interface Fa0/1
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 10
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
10.10.10.1 1111.1111.1111 10 FastEthernet0/5 ACTIVE
10.10.10.2 2222.2222.2222 10 FastEthernet0/5 ACTIVE

Total number interfaces enabled: 10
Enabled interfaces:
Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11

#show mac address-table | inc Fa0/1
10 1111.1111.1111 DYNAMIC Fa0/1
10 2222.2222.2222 STATIC Fa0/1

in other words, since I am only able to check one MAC on the Authentication command (even though the Device Tracking and MAC Address-Table command have two MACs), I am not able to generate an err-disable/violation.

 

Note: for "desperate times" : ) ... use:

interface FastEthernet0/1
 switchport port-security
 switchport port-security maximum 1

Apr 27 14:48:03: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

 

Regards

thanks for checking this out - I thought perhaps the command 

switchport port-security maximum 1

could be added to the NAC enabled multi-host port? We always say that the traditional switch port security and NAC are mutually exclusive - but in this case perhaps you need that command to trigger the violation while the port is in NAC mode. I have not seen any IBNS commands to set these limits. 

albertofdez
Level 1
Level 1

Thank you very much Arne and Marcelo for your help and information, I was clear about the multi-auth and multi-domain behavior, but I thought that in any case an authentication failure was also considered as a violation and therefore the port would be set to err-disabled.

Do you know if there is any port level command or configuration in Cisco ISE to set the port to shutdown if there is an authentication failure on the port?

Hi @albertofdez ,

 I dind't recall any Port Level command or configuration on ISE to set the Port Shutdown if there is an Authentication Failure.

 At Context Visibility > Endpoints, you are able to choose an Endpoint and select Change Authorization > CoA Session Terminate with Port Shutdown, but this is only possible if you have a Session (Authentication and Authorization Success). 

 

Hope this helps !!!

Arne Bier
VIP
VIP

I agree with @Marcelo Morais - there might be some potential to use an EEM (Embedded Event Manager) script on the switch to trigger a shutdown when it detects the Access-Reject for the port(s) in question. It's been a while since I used EEM, but if you can find a SYSLOG event to trigger on then you might have a solution.

albertofdez
Level 1
Level 1

Thank you very much for your help.

I have tried the option CoA Session Terminate with Port Shutdown and it works perfectly, but as you say it only works if the endpoint has a Session (Authentication and Authorization Success).

I have thought about creating an authorization profile and put it in the last line, with this options

Captura.JPG

 

 

 

 

 

I have about 15 rules and in this way if a new endpoint does not match any condition already created, it allows access and then disabled the port.

Could it work?

Hi @albertofdez ,

 although the Attribute Detail has a disable-host-port command, the Session did not exist on that particular time, it probably will not work !!!

 It's possible to use ANC and API for that (take a look at Setup Adaptive Network Control, special attention to Figure 2. ANC Shutdown Flow)

 

Hope this helps !!!