Hi @balaji.bandi 

Yes, I have though of this, but the issues is that the Switch does not support URL Redirection in regards CWA thus making it impossible to implement wired BYOD. Thus the idea was to go only with VLAN assignment isolation. 

Thank you for your feedback. 

Best regards,

Laura

Hi @laurathaqi 

You can use the common task "VLAN" in the authorisation profile and apply to any users that aren't a member of the domain. Refer to this guide for more information on dynamic VLAN authorisation.

Another option is to just apply a DACL to these users restricting their access, this means you don't need to create additional vlans and DHCP scopes.

Hi @Rob Ingram 

Will do the test of the information guide you provided and inform you about the income during tomorrow. 

Thank you for the feedback. 

Best wishes,

Laura  

Hi @Rob Ingram ,

I tried the configurations you suggested but for some reason, non domain machine VLAN interface does not get updated from the AuthZ Profile VLAN pushed.   The configurations existing are as following: 

Interface g1: switchport access VLAN 10, interface gets IP, however I want the logic to as following: when gone through Policy Set: Flow will fail from MAB to DOT1X, and it will go through the AuthC Mab Rule, and AuthZ Mab Rule, thus to change to VLAN15, since this VLAN is isolated and used for non domain computers and users.

However, the interface for some reason is stuck into the same ip address which is assigned in the switch port manually via the switchport access VLAN 10, and the IP address does not change to the new VLAN Broadcast. This, even thought, the flow goes into the AuthC and AuthZ rules I configured and the profile with VLAN ID is pushed. 

Do you have any idea why the VLAN does not change, even thought the profile with dynamic VLA is pushed?

Please have in mind that the VLAN in AuthZ Profile is configured with the same name in Switch. And DHCP for this VLAN is also configured and working correctly when manually assigned to a port with "Switchport access 35". 

Looking forward to hearing from you. 

Thank you,

Laura

@laurathaqi 

The computer should not receive an IP address until ISE has processed the authc/authz request.

At what point does the computer receive an IP address in VLAN10?

Is the user on the non-domain pc actually authorised using mab initially?

Can you turn on debugs "debug radius" and provide the output. Also provide the output of "show authentication session int gi10/1"

Hi Rob, 

Please find answers in Italic below: 

The computer should not receive an IP address until ISE has processed the authc/authz request. 

Answer: The reason why the computer gets the ip is cause of the manual switch interface vlan that we have it configured, and which we think would change dynamically after it realizes its a wired MAB non domain User/Computer. What I mean with the manual switch interface vlan configuration is as following: 

!

interface gi10/1

  switchport mode access 

  switchport access vlan 10

  ....dot1x and mab configs....

end

!

At what point does the computer receive an IP address in VLAN10?

Answer: The computer seems to recieve the IP address at the moment it connects to the network, thus getting an ip in the Broadcast of VLAN 10. And only after that, it reads other dot1x configs in order. And since this is the case, switchport access vlan 10 is the first command on the configurations of the switch, it gets read first, thus gets an IP in the VLAN. And only after that, it proceeds to reading other configurations of the port.  

Is the user on the non-domain pc actually authorised using mab initially?

Answer: Not sure I understand your question, but the following behaviour is present: 

User connects to switchport, gets an IP, proceeds to other switch commands configuration read, which sends it to ISE, in ISE(based on live logs) it goes through MAB rule, which has Continue option configured, -> proceeds to AuthZ rule that checks as following: If its a MAB rule, go to profile ex:XYZ and profile XYZ has configured a AuthZ profile with a VLAN on it. This VLAN should be dynamically assigned to the port, if the flow goes into the mentioned rules. 

However, for some reason, the interface is stuck to the primary VLAN that was assigned to the port via the "switchport access vlan 10" command and the new profile even though its read based on live logs, VLAN does not change to the new one that we want to assign.  

The "show authentication session int gi10/1" shows the interface MAB success, whilst failed from 802.1x first. And it gets the IP of the VLAN what is assigned in the switchport configuration manually as following: 

  interface gi10/1

  switchport mode access 

  switchport access vlan 10

Note: COA is enabled in both Switch and ISE. However, I am not sure how to confirm if the COA is happening during the process of when the switchport needs to change its VLAN to the new one. 

I will further proceed with the radius debug information and provide it to you. 

Looking forward to hearing back from you. 

Thank you,

Laura 

Hi @Rob Ingram 

With Further analyses, the show authentication session int gi10/1 VLAN Policy shows empty. Meanwhile, in the Active sessions of the port in ISE, when I do the reauthenticate session from the CoA Column, I am getting error of  Dynamic Authorization Failed; Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.

CoA is enabled in Switch with the "aaa server radius dynamic-author", as following: 

aaa server radius dynamic-author

 example: client 10.0.0.3 server-key testExampleKey
 example: client 10.0.0.4 server-key testExampleKey

Meanwhile in ISE I have CoA enabled with Reauth action. 

The flow am testing with is:

   AuthC: if Wired_MAB, check on internal Endopoints DB, if user not found -> Continue.   

   AuthZ: if Wired_MAB, assign AuthZ profile of VLAN ID 15

Please have in mind that the 802.1x EAP-TLS and PEAP flows are working successfully, and this is only the MAB one. 

I did not configure Pre-AUTH ACL in the port. 

Full interface config is as following:

! 

switchport access vlan 10
switchport mode access

authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server alive action reinitializes
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

!

Note: Other devices in the network are authentication with success with ISE as per 802.1x. 

Any thoughts how to check and validate communication of COA between NAD and ISE. 

Actions done so far: 

- validated via Wireshark, that 1700 port is being used from ISE side for COA. 

- Supplicant windows firewall is turned off. 

- there is no other firewall that is in between these two networks and devices, and between the vlans neither.

- ping is wokring and also 802.1x EAP-TLS and PEAP are successful AuthC and AuthZ. 

- switch model is 2960, and the COA commands were accepted on the CLI. 

Any thoughts on how to further troubleshoot? 

Also if you have a better suggestion on the implementation logic of wired non domain user authentication and authorization, please let me know. As long as its not BYOD, as per the URL redirection limitations. 

Thank you for your feedback. Looking forward to hearing from you. 

Best,

Laura