08-06-2017 02:11 PM
Hi Cisco ISE Community,
I would like to know if anyone have any suggestion on the following scenario:
Guests can connect to the corporate network through wired access in order to browse on the Internet.
Actually I have configured the following on the ISE side:
On the switch side the "guest" switch port is configured as follows:
The issue here is that when the VLAN change CoA is sent to the switch (including the port-bounce command) the client does not proceed with the new DHCP request ( the port VLAN change from 128 to 116). Actually I didn't figure out if the port-bounce is working correctly because from the switch configuration when I type "no authentication command port-bounce ignore" it still appear in the configuration.
Looking forward to know your opionion.
Thanks.
M.
Below you can find the technical details:
####### SW CONFIG
SW03N#sh run all | i bounce
authentication command bounce-port ignore
SW03N#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW03N(config)#no authentication command bounce-port ignore
SW03N(config)#end
SW03N#sh run all | i bounce
authentication command bounce-port ignore
####### SW INFO
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48TS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
2 52 WS-C2960S-48TS-L 15.0(2)EX5 C2960S-UNIVERSALK9-M
####### AUTHORIZATION PROFILE ATTRIBUTES:
Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:116
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
cisco-av-pair = subscriber:command=bounce-host-port
####### SW switch port facing the client:
interface GigabitEthernet2/0/25
description VLAN Client
switchport access vlan 128
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
speed 100
duplex full
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable
end
####### SW MAB + CoA RADIUS:
Aug 4 16:21:01: RADIUS(00043565): Send Access-Request to 172.17.16.77:1812 id 1645/80,len 268
Aug 4 16:21:01: RADIUS: authenticator 60 25 BE 92 1E 26 E0 B8 - B1 A2 2F 63 3E 8B 9F 73
Aug 4 16:21:01: RADIUS: User-Name [1] 14 "002655f4f36d"
Aug 4 16:21:01: RADIUS: User-Password [2] 18 *
Aug 4 16:21:01: RADIUS: Service-Type [6] 6 Call Check [10]
Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 31
Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Aug 4 16:21:01: RADIUS: Framed-IP-Address [8] 6 172.17.129.150
Aug 4 16:21:01: RADIUS: Framed-MTU [12] 6 1500
Aug 4 16:21:01: RADIUS: Called-Station-Id [30] 19 "70-10-5C-72-2A-99"
Aug 4 16:21:01: RADIUS: Calling-Station-Id [31] 19 "00-26-55-F4-F3-6D"
Aug 4 16:21:01: RADIUS: Message-Authenticato[80] 18
Aug 4 16:21:01: RADIUS: 9B 68 D6 BF 17 67 CA FB 38 47 D5 4B 5B A7 E6 0D [ hg8GK[]
Aug 4 16:21:01: RADIUS: EAP-Key-Name [102] 2 *
Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 49
Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1110300004343E10AF1DF4"
Aug 4 16:21:01: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Aug 4 16:21:01: RADIUS: NAS-Port [5] 6 50225
Aug 4 16:21:01: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet2/0/25"
Aug 4 16:21:01: RADIUS: Called-Station-Id [30] 19 "70-10-5C-72-2A-99"
Aug 4 16:21:01: RADIUS: NAS-IP-Address [4] 6 172.17.16.48
Aug 4 16:21:01: RADIUS(00043565): Started 5 sec timeout
Aug 4 16:21:01: RADIUS: Received from id 1645/80 172.17.16.77:1812, Access-Accept, len 245
Aug 4 16:21:01: RADIUS: authenticator 32 4F BD 12 EF 5A 4B AD - 71 DB 2E C5 9B 68 DA EA
Aug 4 16:21:01: RADIUS: User-Name [1] 10 "test1234"
Aug 4 16:21:01: RADIUS: State [24] 40
Aug 4 16:21:01: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 41 43 [ReauthSession:AC]
Aug 4 16:21:01: RADIUS: 31 31 31 30 33 30 30 30 30 34 33 34 33 45 31 30 [1110300004343E10]
Aug 4 16:21:01: RADIUS: 41 46 31 44 46 34 [ AF1DF4]
Aug 4 16:21:01: RADIUS: Class [25] 54
Aug 4 16:21:01: RADIUS: 43 41 43 53 3A 41 43 31 31 31 30 33 30 30 30 30 [CACS:AC111030000]
Aug 4 16:21:01: RADIUS: 34 33 34 33 45 31 30 41 46 31 44 46 34 3A 67 61 [4343E10AF1DF4:ga]
Aug 4 16:21:01: RADIUS: 2D 69 73 65 2F 32 39 31 31 32 39 32 34 31 2F 31 [-ise/291129241/1]
Aug 4 16:21:01: RADIUS: 38 33 34 38 [ 8348]
Aug 4 16:21:01: RADIUS: Session-Timeout [27] 6 59887
Aug 4 16:21:01: RADIUS: Termination-Action [29] 6 0
Aug 4 16:21:01: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
Aug 4 16:21:01: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
Aug 4 16:21:01: RADIUS: Message-Authenticato[80] 18
Aug 4 16:21:01: RADIUS: B3 61 E1 9F CD B9 61 81 D5 FD 8F 04 76 FE D2 9C [ aav]
Aug 4 16:21:01: RADIUS: Tunnel-Private-Group[81] 6 01:"116"
Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 43
Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
Aug 4 16:21:01: RADIUS: Vendor, Cisco [26] 30
Aug 4 16:21:01: RADIUS: Cisco AVpair [1] 24 "profile-name=HP-Device"
Aug 4 16:21:01: RADIUS(00043565): Received from id 1645/80
Aug 4 16:21:01: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
Aug 4 16:21:01: %MAB-5-SUCCESS: Authentication successful for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4
Aug 4 16:21:01: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4
Aug 4 16:21:01: %AUTHMGR-5-VLANASSIGN: VLAN 116 assigned to Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4
Aug 4 16:21:02: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4
####### SW AUTH SESSION DETAILS
SW03N#show authentication sessions interface gigabitEthernet 2/0/25
Interface: GigabitEthernet2/0/25
MAC Address: 0026.55f4.f36d
IP Address: 172.17.129.150
User-Name: test1234
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 116
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1110300004343E10AF1DF4
Acct Session ID: 0x0004355B
Handle: 0x49000DF1
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Solved! Go to Solution.
08-07-2017 07:51 AM
Hi Matteo,
How are you sending CoA Port-Bounce for CWA ? I tried sending CoA Port-Bounce for the same use case but still could not make it work on 3850.
Our customer also wanted to have change of vlan using guest and we came up with a solution using macros for 3850.
Please see this link https://communities.cisco.com/thread/81859
However this solution might not work well in a multi-auth environment behind an IP Phone as we are disabling dot1x on ports where guests are connected.
08-07-2017 04:26 AM
In general, VLAN change is not a good idea for guest users since the connection is MAB, CoA for CWA is a reauth, and the client will not detect VLAN change, thus retains original IP. Consider SGTs, or device registration with terminate COA or else a workaround could be configuring the NAD profile as non-Cisco and disable reauth CoA option.
08-07-2017 07:51 AM
Hi Matteo,
How are you sending CoA Port-Bounce for CWA ? I tried sending CoA Port-Bounce for the same use case but still could not make it work on 3850.
Our customer also wanted to have change of vlan using guest and we came up with a solution using macros for 3850.
Please see this link https://communities.cisco.com/thread/81859
However this solution might not work well in a multi-auth environment behind an IP Phone as we are disabling dot1x on ports where guests are connected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide