Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
1
Replies

ISE downloadable service-templates on Catalyst 3650s running 16.x

andrewswanson
Level 7
Level 7

‎01-17-2019 06:11 AM - edited ‎03-11-2019 01:54 AM

Hi

I'm looking at implementing a TrustSec SGT policy using ibns 2.0 on some 3650 switches. The policy is intended to apply a "pre-authentication" SGT to clients until they have been authenticated successfully by ISE and has been assigned an SGT by ISE. I setup the following on switches running 03.07.05E.

 

1 When a session starts, the ibns 2.0 control policy applies a "pre-authentication" SGT tag to the clients traffic. This was done with a locally configured service-template on the switch. Once the client had successfully authenticated, the service-template was deactivated and the client was assigned an SGT from ISE (2.3 patch 5)

 

policy-map type control subscriber TEST_POLICY
event session-started match-all
10 class always do-until-failure
5 activate service-template PRE-AUTH
10 authenticate using mab priority 10
...
event authentication-success match-all
10 class always do-until-failure
10 deactivate service-template PRE-AUTH
20 authorize

 

2 As the above worked well, I looked at moving the pre-authentication service-template onto ISE as a downloadable service-template. The ISE authorization profile ISE-PRE-AUTH was configured as a service-template with Access-Reject along with the attributes required to assign an SGT. This also worked as expected

 

policy-map type control subscriber TEST_POLICY
event session-started match-all
10 class always do-until-failure
5 activate service-template ISE-PRE-AUTH aaa-server ISE
10 authenticate using mab priority 10
...
event authentication-success match-all
10 class always do-until-failure
10 deactivate service-template ISE-PRE-AUTH
20 authorize

 

3 The problem started when I tried to migrate this setup onto 16.x - I've tried this with 16.3.7 and 16.6.4a

  • On 16.x, applying the "pre-authentication" SGT with locally configured service-templates works as expected. The problem occurs when I move to downloadable service-templates:
  • The downloadable service template works as expected by applying the pre-authentication SGT
    However, once the client has been authenticated successfully the switch shows the client as unauthorized with no SGT tag - the client is not tagged with either the pre-authentication SGT nor the SGT assigned by ISE on successful authentication. A debug shows the message %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client


Has anyone come across this issue with ISE downloadable service-templates on 16.x?

Thanks
Andy

0 Helpful
1 Reply 1

andrewswanson
Level 7
Level 7

‎01-17-2019 06:57 AM

Just tried version 16.9.2 and the above config works - not sure if this is related to bug CSCvn80164. This is listed as fixed but gives no details of fixed software.

 

My scenario differs from the bug in that:

 

  1. interface control policy downloads and activates a service-template when a session starts to apply an SGT from ISE to the unauthenticated client
  2. Once client authenticates successfully, the downloaded service-template is deactivated and ISE assigns a new SGT for the client

 

Andy

0 Helpful
Customers Also Viewed These Support Documents