Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
0
Helpful
1
Replies

IBNS 2.0 complex policy

Garry Cross
Level 1
Level 1

‎11-22-2018 01:54 PM - edited ‎03-11-2019 01:52 AM

I thought I would see if the community may a policy that works for the following.

Configure concurrent mab and dot1x. So this is in the policy.

 event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
      20 authenticate using mab priority 20

I have a Scanjet 7000n that we can't figure out how to disable the dot1x client. It is using and invalid EAP method and the box is not longer supported by HP. Was thinking that if we had a policy that we could somehow configure under the agent-found event to ignore it if we are currently in the mab authenticated state.

Some how like the following, but it doesn't work. Can't even get to the mab success state. If I leave agent-found event out the state gets to "mab DATA Auth" Otherwise it is "N/A Unknown Unauth"

event agent-found match-first

10 class MAB_Success

  10 terminate dot1x

20 class always

  10 authenticate using dot1x priority 10

!

class-map type control subscribe match-all MAB_Success

 match result-type method mab success

 

I have watched the debug pre all output but nothing is obvious from it.

Now in an attempt figure out what some of the events are, I have added some events to the policy with no actions underneath them. Turns out now that I have id:21 Authorization Success it hits that and nothing further transpires.

So I have this, because I was trying different things to understand what is going on.

 

event agent-found match-first
    20 class always do-until-failure
      20 authenticate using dot1x priority 10

 

Here is the debug output.Every time the printer sends an EAPOL packet or the switch, not sure who goes first.

 

Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] Executing policy-map type control subscriber User_Test_AF
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018]   event (id:19 name:agent-found) match-first
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018]     class always do-until-failure policy instance 0xCD0000C4
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] Evaluate: class-map type control match-any subscriber always
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] evaluated class map: success
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] Action authenticate using dot1x priority 10:sync:success
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] executed action handlers and returning with status:1, result:0
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] Executing policy-map type control subscriber User_Test_AF
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018]   event (id:21 name:authorization-success) match-all
Nov 22 16:49:01: [PRE:RULE:EVENT] eval_default_action: No Default action for this clid[2] and eventid[21]
Nov 22 16:49:01: [PRE:RULE:EVENT:C2000018] no class match found. nothing to run against in policy.
TrainingSwitch#
Nov 22 16:49:01: %DOT1X-5-FAIL: Authentication failed for client (001b.78f6.0aed) on Interface Gi1/0/1 AuditSessionID 0A3D011E00000044627FBF86

 

 

Thanks for any insight.

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎12-22-2018 08:29 PM

This looks the same as your other post Re: IBNS 2.0 no-match result-type metho...

0 Helpful
Customers Also Viewed These Support Documents