Re: User access-list with easyconect configurationin in ISE

tlamallem · ‎02-02-2023

Hi,

I configure our ISE with easyconnect, i set up a policy for Wired_MAB and give to default authorization HostLookUp to authorize the machines to contact the domain controller and dhcp server. when i connect the machine ISE respond with default acces-list, but after i connect the user, nothing happened, i can see the session of the user in live logs for passiveid but ISE didn't send the access-list that matched the user.

Help pls!!!

here is the the switch configuration:

aaa new-mo
!Global Configuration
!
radius server ISE-1
address ipv4 172.16.212.30 auth-port 1812 acct-port 1813
key 1417
!
aaa group server radius dot1x_auth
server name ISE-1
!
aaa authentication dot1x default group dot1x_auth
aaa authorization network default group dot1x_auth
aaa accounting update newinfo
aaa accounting dot1x default start-stop group dot1x_auth
!
aaa server radius dynamic-author
client 172.16.212.30 server-key 1417
!
dot1x system-auth-control
dot1x critical eapol
!
ip access-list extended PREAUTH
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
deny ip any any log
!
ip device tracking probe delay 10
mab request format attribute 32 vlan access-vlan
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 2
radius-server key 1417
radius-server vsa send authentication
radius-server vsa send accounting
!

###Interface configuration

switchport access vlan 22
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 22
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Rodrigo Diaz · ‎02-02-2023

HI @tlamallem , please check that within the authorization profile that you are using while connecting to the computer access it has the feature called Passive Identity Tracking as it's shown in the following screenshot .

If you have already this , and you are seeing the events related to the passive ID connector, I would check if the ISE and the NAD are issuing the CoA correctly.

Let me know if that helped you.

tlamallem · ‎02-07-2023

Thank you for the reply. I already activate the tracking. For the CoA, i tried the EAP-TLS authentication and everything is ok.

But while i was configuring the switch the command below didn't work:

ip device tracking probe delay 10

is it necessary for passiveid?

another thing that i'm using an agent and not WMI to configure my provider(AD), because WMI didn't work

Rodrigo Diaz · ‎02-07-2023

hi @tlamallem, in this scenario that you are describing the IP device tracking is important because this is the one that maps the authentication session with an IP address, if you run the command "show authentication session interface <type> details " you might be able to see if the mapping was done correctly as it will display the supplicant IP .

The passive id agent in another side is the provider recommended for the feature so you should be good in that other point you mention.

Let me know if that helped you.

hslai · ‎02-07-2023

@tlamallem WMI is the only type of PassiveID providers that is supporting Easy Connect today. We are evaluating to enable PIC agents in future releases.

hslai · ‎02-04-2023

@tlamallem Also check this KB -- ISE Easy Connect