Solved: Use authentication violation shutdown but not shutting down the port

albertofdez · ‎04-25-2022

Hi,

I am using MAB on a port together with the authentication violation shutdown command, but when I connect a device with a MAC that does not belong to any group, Cisco ISE denies access, but the port on the switch remains connected.

If I do a show interfaces status on the switch the port should be err-disabled, but it is still connected.

Shouldn't it work the same way as the switchport port-security violation shutdown command and set the port to err-disabled?

Thanks.

Arne Bier · ‎04-26-2022

I don't have the authoritative answer on this, but a failed authentication is not a violation - and therefore the "violation" logic would not be executed. I would like someone to correct me if I am wrong, but a session violation is an event where the maximum number of allowed MAC addresses has been authorized on a port, thus causing either a notification, or a shutdown.

In my experience of using mult-domain host mode, the port will automatically err-disable if there is more then 2 MAC addresses in the DATA domain (no C3PL or legacy "authentication violation .." logic required).

If anyone has more information on what exactly a session violation is, please share here.

View solution in original post

Marcelo Morais · ‎04-26-2022

Hi @albertofdez and @Arne Bier

take the following example:

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 10
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast
end

if I connect a TIP and a Notebook on Fa0/1:

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000001
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000002
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

but now, I will change my configuration to:

interface FastEthernet0/1
 authentication host-mode multi-domain

in other words, one Voice and one Data (only):

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is restricted
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x UNKNOWN Running 000000000000000000000003
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000004

if I change again my configuration to:

interface FastEthernet0/1
 authentication violation shutdown

then

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is shutdown
Client list: empty
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

#show interfaces Fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
...

Hope this helps !!!

View solution in original post

Arne Bier · ‎04-26-2022

I don't have the authoritative answer on this, but a failed authentication is not a violation - and therefore the "violation" logic would not be executed. I would like someone to correct me if I am wrong, but a session violation is an event where the maximum number of allowed MAC addresses has been authorized on a port, thus causing either a notification, or a shutdown.

In my experience of using mult-domain host mode, the port will automatically err-disable if there is more then 2 MAC addresses in the DATA domain (no C3PL or legacy "authentication violation .." logic required).

If anyone has more information on what exactly a session violation is, please share here.

michael.burke · ‎04-26-2022

Would you post the interface configuration and possibly show auth session interface if possible. Is this deployment in closed mode or maybe low impact open with a pre auth acl?

Marcelo Morais · ‎04-26-2022

Hi @albertofdez and @Arne Bier

take the following example:

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 10
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast
end

if I connect a TIP and a Notebook on Fa0/1:

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000001
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000002
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

but now, I will change my configuration to:

interface FastEthernet0/1
 authentication host-mode multi-domain

in other words, one Voice and one Data (only):

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is restricted
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x UNKNOWN Running 000000000000000000000003
Fa0/1 1111.1111.1111 mab DATA Authz Success 000000000000000000000004

if I change again my configuration to:

interface FastEthernet0/1
 authentication violation shutdown

then

#show authentication interface Fa0/1
Security violation caused by 2222.2222.2222: Port is shutdown
Client list: empty
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

#show interfaces Fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
...

Hope this helps !!!

Arne Bier · ‎04-26-2022

thanks @Marcelo Morais - the explanation was very clear. As mentioned in my earlier response, I have experienced this behaviour in my IBNS 2.0 configs where the violation logic is expressed in C3PL language - but what I found strange is that when I tested multi-domain and caused an intentional violation, I got the err-disable by default, and I did not need to specify any C3PL commands - it seems that the default action in IBNS 2.0 for violation is "shutdown". I will retest one of these days to confirm.

I guess the overall point to @albertofdez is that a violation is not caused when authentication fails. A violation is something that happens when you break the rules about how many MAC addresses are allowed to be authenticated. In multi-domain this is obvious (1 voice, 1 data) - @Marcelo Morais in multi-host, do you know how to configure the switch port to set an arbitrary limit to say, 3 MAC addresses to cause the violation?

Marcelo Morais · ‎04-27-2022

Hi @Arne Bier and @albertofdez ,

I tried the multi-host option, after the following change:

interface FastEthernet0/1
 authentication host-mode multi-host

then

#show authentication interface Fa0/1
Client list:
Interface MAC Address Method Domain Status Session ID
Fa0/1 2222.2222.2222 dot1x DATA Authz Success 000000000000000000000005
Available methods list:
Handle Priority Name
3      0        dot1x
2      1        mab
Runnable methods list:
Handle Priority Name
3      0        dot1x
2      1        mab

#show ip device tracking interface Fa0/1
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IP Device Tracking Probe Delay Interval = 10
-----------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
-----------------------------------------------------------------------
10.10.10.1 1111.1111.1111 10 FastEthernet0/5 ACTIVE
10.10.10.2 2222.2222.2222 10 FastEthernet0/5 ACTIVE

Total number interfaces enabled: 10
Enabled interfaces:
Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11

#show mac address-table | inc Fa0/1
10 1111.1111.1111 DYNAMIC Fa0/1
10 2222.2222.2222 STATIC Fa0/1

in other words, since I am only able to check one MAC on the Authentication command (even though the Device Tracking and MAC Address-Table command have two MACs), I am not able to generate an err-disable/violation.

Note: for "desperate times" : ) ... use:

interface FastEthernet0/1
 switchport port-security
 switchport port-security maximum 1

Apr 27 14:48:03: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

Regards

Arne Bier · ‎04-27-2022

thanks for checking this out - I thought perhaps the command

switchport port-security maximum 1

could be added to the NAC enabled multi-host port? We always say that the traditional switch port security and NAC are mutually exclusive - but in this case perhaps you need that command to trigger the violation while the port is in NAC mode. I have not seen any IBNS commands to set these limits.

albertofdez · ‎04-27-2022

Thank you very much Arne and Marcelo for your help and information, I was clear about the multi-auth and multi-domain behavior, but I thought that in any case an authentication failure was also considered as a violation and therefore the port would be set to err-disabled.

Do you know if there is any port level command or configuration in Cisco ISE to set the port to shutdown if there is an authentication failure on the port?

Marcelo Morais · ‎04-27-2022

Hi @albertofdez ,

I dind't recall any Port Level command or configuration on ISE to set the Port Shutdown if there is an Authentication Failure.

At Context Visibility > Endpoints, you are able to choose an Endpoint and select Change Authorization > CoA Session Terminate with Port Shutdown, but this is only possible if you have a Session (Authentication and Authorization Success).

Hope this helps !!!

Arne Bier · ‎04-27-2022

I agree with @Marcelo Morais - there might be some potential to use an EEM (Embedded Event Manager) script on the switch to trigger a shutdown when it detects the Access-Reject for the port(s) in question. It's been a while since I used EEM, but if you can find a SYSLOG event to trigger on then you might have a solution.

albertofdez · ‎04-28-2022

Thank you very much for your help.

I have tried the option CoA Session Terminate with Port Shutdown and it works perfectly, but as you say it only works if the endpoint has a Session (Authentication and Authorization Success).

I have thought about creating an authorization profile and put it in the last line, with this options

I have about 15 rules and in this way if a new endpoint does not match any condition already created, it allows access and then disabled the port.

Could it work?

Marcelo Morais · ‎04-28-2022

Hi @albertofdez ,

although the Attribute Detail has a disable-host-port command, the Session did not exist on that particular time, it probably will not work !!!

It's possible to use ANC and API for that (take a look at Setup Adaptive Network Control, special attention to Figure 2. ANC Shutdown Flow)

Hope this helps !!!