01-04-2018 03:40 AM - edited 02-21-2020 10:43 AM
Hi,
In my lab I try to authenticate non-joined domain PC with policy-map but I am having hard time achieving this. Any help would be greatly appreciated or if you can put me into right direction I would be very glad.
Short story of my lab:
Joined domain PC Port based authentication: Can access network
Mab authentication: Works fine
Policy-map configuration example:
sw01#show policy-map type control subscriber DOT1X_POLICY
DOT1X_POLICY
 event session-started match-all
 10 class always do-until-failure
 10 authenticate using dot1x priority 10
 event authentication-failure match-first
 10 class always do-until-failure
 10 terminate dot1x
 20 authentication-restart 60
 event agent-found match-all
 10 class always do-until-failure
 10 authenticate using dot1x priority 10
 event authentication-success match-all
 10 class always do-until-failure
 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
sw01#show policy-map type control subscriber MAB_POLICY
MAB_POLICY
 event session-started match-all
 10 class always do-until-failure
 10 authenticate using mab priority 10
 event authentication-failure match-first
 10 class always do-until-failure
 10 terminate mab
 20 authentication-restart 60
 event authentication-success match-all
 10 class always do-until-failure
 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
Port configuration examples:
interface GigabitEthernet1/0/15
 description DOT1X
 switchport access vlan 3180
 switchport mode access
 access-session closed
 access-session port-control auto
 dot1x pae authenticator
 no cdp enable
 spanning-tree portfast
 service-policy type control subscriber DOT1X_POLICY
interface GigabitEthernet1/0/14
 description MAB
 switchport access vlan 3180
 switchport mode access
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 no cdp enable
 spanning-tree portfast
 service-policy type control subscriber MAB_POLICY
What I am trying to achieve is that if the PC is not found in the domain, it should be only able to access internet not internal server i.e vlan 20 which is surf vlan. Can I achieve this with policy-map? I followed mostely this guide but I am stuck now. mhttps://communities.cisco.com/docs/DOC-64012
Thanks for stopping by and helping a fellow networker.
PS: Why I am getting these? I used to be able to do this couple of weeks ago.
sw01(config-if)#authentication event fail action authorize vlan 20
Command deprecated (authentication event fail action authorize vlan 20) - use cpl config
sw01(config)#dot1x guest-vlan supplicant
Command deprecated ('dot1x guest-vlan supplicant') - use cpl config instead
01-05-2018 07:57 AM
Are you set on using policy-maps? There should be an easier way to send non-domain devices into the guest VLAN.
I would much rather have ISE doing all the policy work instead of having the switches with bloated configs for policy maps.
I would have normal 802.1x/MAB auth and add in conditions in those policies in ISE that if a user is not part of the domain/fails MAB send them to the guest VLAN. That way you can clean up the config on the switches, basically just having the required config for 802.1x/MAB and create the guest VLAN on the switch itself.
Depending on how you want to set this up the default deny policy in ISE could be changed to send anyone to the guest VLAN who is unable to authenticate too.
01-07-2018 12:29 PM - edited 01-07-2018 12:31 PM
Honestly, these policies were created by default. I was able to use authentication command in interface mode, but not anymore. I would rather using ISE to do everything instead of having loads of commands in my switch.
Today both dot1x and MAB works fine but if I remove the service-policy command from the interface everything stops working, therefore I have these policy-map commands. As I said I'd rather to remove these policies from my switch and configure ISE to do this job instead. The one thing that I still can't figure out with policy-map is how to make non-joined domain and guest access to X vlan for only surfing the web.
Any recommendation of how to achieve these? I am not so familiar with ISE but the more I use it the more I start to understand it, but unfortunately the policy set is still very tricky.
This is what I am trying to do:
1. Dot1x
2. MAB
3. Guest and non-joined domain PC's redirection for webauth.
-W
 
					
				
		
01-09-2018 04:58 AM - edited 01-09-2018 04:59 AM
HI Walwar,
non 802.1x authenticated can be MAB :)
The old style config in which the switch is using LWA or failed VLAN or guest VLAN or whatever is kind've legacy :)
You can configure ISE so that when a MAB request for an unkown MAC is requested, the device is placed into a 'guest' VLAN or is presented a web-auth portal. (from ISE)
The config you're using is IBNS 2.0 (policy-map oriented) which can be deactived so that you can use old-style syntax (dot1x authentication, etc).
Thanks,
Octavian
01-09-2018 05:29 AM
Hello,
I probably should have pointed this out, my dot1X is only for wired joined domain PC.
MAB is used for Printers, Security cams, and non-joined domain PC I.e. guests which is redirected to a to authenticate through a webpage.
Now after many long nights in my basement I am kind of solved the webauth, but not 100%. The only thing that is not working in my lab, is that my guest PC is not getting access to Internet though when I look at the port is has assigned IP and I even see the dACL but the PC is not connecting. Now when I copy the dACL from the port and used it from another PC I get to the self-reg page and can register successfully and only then my guest PC is able to surf to the internet.
How do I deactivate this policy-map based config? It starts to get too complex and I could lose track of everything soon hehe.
What do you think of using policy-map vs old style syntax?
-walwar
 
					
				
		
01-09-2018 07:27 AM
Hi,
IBNS 2.0 is rather new (or at least not often implemented) and is not available on every existing Catalyst platform.
In Cisco's documentation is states that you cannot revert to the old style configuration mode for 802.1x if you saved the config and reloaded the device. I have my doubts about that and I suspect that the correct sentence would be that you cannot revert to the old style and keep your entire config.
I suspect that a write erase reload would allow you to revert to the old style config.
There are some advantages of using the policy-map model, like running both MAB and dot1x simultaneoulsy on the switch (old style/auth manager cannot do it) but overall, it's not that user friendly like auth manager.
Thanks,
Octavian
01-09-2018 07:35 AM
Hello,
Yeah, I saw that and unfortunately I had already saved and booted my switch and I won't bother troubleshooting if write erase will revert back to the legacy style. I will continue using policy-map though I need to clean it up and add back the class-maps I removed not knowing that the policies might be useful.
Do you have any experience with wired guest authentication? I am still having trouble figuring this out.
Thanks for taking time and helping out, much appreciated!
-walwar
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide