Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
5
Helpful
9
Replies

ISE 1.3 issue with Catalyst 4500E (12.54)

Capricorn
Level 1
Level 1

‎11-24-2016 01:46 PM - edited ‎03-11-2019 12:15 AM

Hi!

I am new to ISE world.

I have different Authorization policy based on computer and user. Once the computer start it will assign to vlan based on its security group membership. If a user login to same computer then second Authorization clicks in IP is assigned from Vlan based on user security group.

It works on 2900 series switch but the same thing doesn't work on Catalyst 4500E (12.54). I have matched the config for Dot1x on both switches and the look fine.

The issue is that on Catalyst 4500 the second authorization doesnt work. Only the first policy that is for computer authentication works.

Any suggestion on this?

Thanks

Capricorn

Labels:
0 Helpful
9 Replies 9

nspasov
Cisco Employee
Cisco Employee

‎11-29-2016 09:56 AM

Hello Capricorn-

My guess is that you are hitting a bug with the version of code that you are running on the 4500. Can you provide the following info:

- Exact chassis model (Obtain from show ver)

- Exact version code (Obtain from show ver)

- Output from from the following command: show authentication session interface interface_name_number

- Configuration of the affected port

Thank you for rating helpful posts!

0 Helpful

Capricorn
Level 1
Level 1
In response to nspasov

‎12-06-2016 01:28 AM

Thanks Neno for looking into this. Please see below.

WS-C4506-E

cat4500e-ipbasek9-mz.122-54.SG1.bin


description ISE
switchport access vlan 550
switchport mode access
switchport voice vlan 300
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree guard root

--------

show authentication sessions interface gigabitEthernet 3/31
Interface: GigabitEthernet3/31
MAC Address: a0b3.cc23.xxxx
IP Address: 10.2.7.227
User-Name: host/testcomputer.mydomain.com
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 109
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AF4DC0C0000003D8153AA91
Acct Session ID: 0x00005255
Handle: 0xA300003E

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

0 Helpful

Capricorn
Level 1
Level 1
In response to Capricorn

‎12-14-2016 04:05 AM

Hi again!

Anyone can look into this?

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Capricorn

‎12-15-2016 03:25 PM

Sorry about that. I thought I replied to the thread but I guess I missed it :/

So, based on what you have provided I see two things that look strange:

1. The username provided in the session is a name of a computer not actual user. Thus, it appears that the user auth is not even seen by the switch/ise

2. In the port config you have a pre-auth ACL (ACL-DEFAULT) but I don't see a dACL in the authorization policy. So my question here is: Are you returning a dACL with your authorization policy? If not, I would suggest doing that as you need a dACL to replace the pre-auth ACL. Otherwise, the pre-auth ACL remains on the port even after successful authentication/authorization. You can quickly test this by pushing a "permit ip any any" with both authorization profiles.

Thank you for rating helpful posts!

0 Helpful

Capricorn
Level 1
Level 1
In response to nspasov

‎12-16-2016 02:46 AM

Hi!

Thanks for looking into it.

Everything works fine if I have a computer connected to Catalyst 2960G ( Version 12.2(44)SE6) and it doesnt work if I connected the same computer to WS-C4506-E.

To me it looks ok from ISE as it works for 2960G. What you say?

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Capricorn

‎12-17-2016 01:39 PM

So the reason I suggest you try the dACL is because the behavior of the default Pre-Auth ACL changed between versions and switch family. I had a link that described this but cannot find it now.

I would definitely configure and push a dACL and see if that fixes the problem. 

Thank you for rating helpful posts!

Capricorn
Level 1
Level 1
In response to nspasov

‎12-22-2016 05:13 AM

Hi!

We are already pushing DACL to it.

I can see the DACL is coming down to switch.

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Capricorn

‎12-23-2016 11:49 AM

If you are pushing a dACL then I would expect to see " ACS ACL:your_dACL_name" in the output from "show authentication session..." I did not see that in the output that you provided. To test this further, you can issue "show ip access-list interface interface_name" after the session has completed. 

Thank you for rating helpful posts!

0 Helpful

Capricorn
Level 1
Level 1
In response to nspasov

‎01-12-2017 05:34 AM

I get this. show ip access-lists interface gigabitEthernet 3/31

permit ip any any (30 estimate matches)

0 Helpful
Customers Also Viewed These Support Documents