cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
0
Replies

Cisco 3850 802.1x Port Based Authentication (ACS/RADIUS) - Guest/Restricted Access Problem

michael.lorincz
Level 4
Level 4

Hi Guys,

This isn't my area of expertise so please bear with me. We had this setup working but had to change a few things and now the Access-Failed ports are not being placed into the correct 'guest/restricted' vlan 998. Here's a cut and paste of the relevant sections from the config. I've also attached a partial log output.

The log shows Access-Reject message from ACS/Radius server is being received on the switch. The class-map and policy-map look correct for activating service-template CRITICAL_AUTH_VLAN_998 but the ports never get changed to 998.

Any suggestions would be appreciated!

3850 Config:

!
aaa new-model
!
!
aaa group server radius ACS-SERVERS
server name WEHO-ACS1
server name WEHO-ACS2
mac-delimiter colon
!
aaa authentication login LINE-CON local
aaa authentication dot1x default group ACS-SERVERS
aaa authorization network default group ACS-SERVERS
aaa authorization network auth-list group ACS-SERVERS
aaa authorization auth-proxy default group ACS-SERVERS
aaa accounting update periodic 5
aaa accounting identity default start-stop group ACS-SERVERS
aaa accounting network default start-stop group ACS-SERVERS
aaa accounting system default start-stop group ACS-SERVERS
!
!
aaa server radius dynamic-author
client 192.168.10.190 server-key 7 XXXXXXXXX
client 192.168.10.191 server-key 7 XXXXXXXXX
auth-type any
!
aaa session-id common
access-session mac-move deny

ip device tracking probe count 10
ip device tracking probe use-svi
ip device tracking probe delay 10
ip device tracking
!
!
dot1x system-auth-control
!
!
fallback profile WEB_AUTH_PROFILE
!
service-template webauth-global-inactive
inactivity-timer 3600
service-template webauth-IP_ADMIN_RULE
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template CRITICAL_AUTH_VLAN_650
vlan 650
service-template CRITICAL_AUTH_VLAN_998
vlan 998
!
!
parameter-map type webauth global
custom-page login device flash:Login.html
custom-page success device flash:Success.html
custom-page failure device flash:Failed.html
custom-page login expired device flash:Expired.html
!
!
parameter-map type webauth WEB_AUTH_PROFILE
type webauth
!
!
parameter-map type webauth IP_ADMIN_RULE
type webauth
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-any IN_CRITICAL_VLAN
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
match activated-service-template CRITICAL_AUTH_VLAN_998
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
match activated-service-template CRITICAL_AUTH_VLAN_998
!
!
policy-map type control subscriber ACS-PMAP-1
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN_998
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication
50 clear-authenticated-data-hosts-on-port
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
3 terminate dot1x
6 authenticate using mab priority 20
10 activate service-template CRITICAL_AUTH_VLAN_998
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 class MAB_FAILED do-until-failure
10 terminate mab
15 activate service-template CRITICAL_AUTH_VLAN_998
17 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
20 authentication-restart 60
50 class DOT1X_FAILED do-until-failure
3 terminate dot1x
6 authenticate using mab priority 20
10 activate service-template CRITICAL_AUTH_VLAN_998
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
event violation match-all
10 class always do-until-failure
10 restrict
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
class class-default
bandwidth remaining percent 25
queue-buffers ratio 25

!!EXAMPLE INTERFACE!!
interface GigabitEthernet1/0/21
switchport access vlan 650
switchport mode access
switchport voice vlan 111
trust device cisco-phone
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 1
dot1x max-reauth-req 1
auto qos voip cisco-phone
spanning-tree portfast
service-policy type control subscriber ACS-PMAP-1
!
ip access-list extended PRE_WEBAUTH_POLICY
permit udp any any eq bootps
permit udp any any eq domain
deny ip any any
!
ip radius source-interface Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 15
!
radius server WEHO-ACS1
address ipv4 192.168.10.190 auth-port 1645 acct-port 1646
key 7 XXXXXXXXX
!
radius server WEHO-ACS2
address ipv4 192.168.10.191 auth-port 1645 acct-port 1646
key 7 XXXXXXXXX
!

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: