04-28-2017 01:13 PM - edited 07-28-2020 09:03 AM
Here I am listing top ten settings I check for when looking at a customer’s IOS switch settings when integrated with ISE. The ten settings listed below doesn’t cover the full configuration to work with ISE, rather these are common settings that are either missing or mis-configured which could have negative impact. For complete configuration how-to please go to the following link:
ISE Secure Wired Access Prescriptive Deployment Guide
There is a feature on ISE where ISE correlate syslog from access switches to the RADIUS live log on the ISE. It provides admin user a single view of what is going on with the session without having to correlate data from ISE and the switch manually. While nice to have feature, in general it causes MnT node to store additional data and also process the syslog requests that may not be related to the authentication events that ISE is interested in. It is recommended to not use this feature beyond the initial PoC phase to iron out the authentication issues. Look for the following lines, and remove them from the switch config:
SWITCH(config)#no logging host {ISE_MnT} transport udp port 20514
There are two ways ISE utilizes SNMP for profiling. One way is to let ISE poll the switch due to an event or periodically, and second way is to let the switch send SNMP trap to the ISE PSN node to let ISE know that there is an endpoint on port X/Y/Z with HH:HH:HH:HH:HH:HH MAC address. This is important information to the ISE node, as it can be used to trigger the SNMP polling to get additional profiling attributes as well as locating the endpoints not he network. However, when switches are configured with 802.1X/MAB, one of the requirement is to configure RADIUS Accounting. So it happens that the RADIUS Accounting already includes the same information that SNMP trap can provide. The other benefit is that you are minimizing the duplicate information and avoid PSN ownership change of an endpoint, which reduces replication traffic among the nodes. SNMP trap can be safely disabled for ISE PSN profiling purpose, and can be done by removing SNMP trap related configuration that points to the ISE PSN nodes:
SWITCH(config)#no snmp-server host {ISE_PSN}
Interim accounting is an important piece of message for ISE to maintain session table. If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session for that endpoint. This would mean that ISE thinks an endpoint is no longer connected to the network while the switch shows the endpoint still connected. Also, ISE cannot manage the device via CoA (Change of Authorization) as session is not maintained on ISE. To avoid this, ensure that the RADIUS Accounting is sent to the ISE node every 2 days using the following command:
SWITCH(config)#aaa accounting update newinfo periodic 2880
This setting controls how long the RADIUS server is marked as down when it doesn’t respond to RADIUS requests. The default setting is ‘0’ minutes, which means the same server that didn’t respond will be marked alive right after it was marked down. It should be used when there are two or more RADIUS servers or if one wants to fail-open the port when there are no RADIUS servers available. Following command will mark the servers down for 15 minutes when dead-criteria is met:
SWITCH(config)#radius-server deadtime 15
When the switch is configured for CWA, it uses an ACL to match which traffic to redirect or not. The work is done by the CPU and on a switch with high density ports, it could cause unnecessary load on the switch CPU. Simply craft the redirect ACL to match on TCP/80 & TCP 443 and use dACL to deny traffic that is not filtered by the redirect ACL. ACL similar to the following can be used:
SWITCH(config)#ip access-list extended ACL_WEBAUTH_REDIRECT
SWITCH(config-ext-nacl)#deny udp any host {DNS_SERVER} eq domain
SWITCH(config-ext-nacl)#deny udp any any host {DHCP_SERVER} bootps
SWITCH(config-ext-nacl)#permit tcp any any eq www
SWITCH(config-ext-nacl)#permit tcp any any eq 443
Note: When web request is HTTPS request and redirected via HTTPS, it utilizes CPU on the Catalyst switch. Certain Catalyst switch platforms lack resource to process HTTPS redirect and may cause high CPU. For posture, AnyConnect posture module can use HTTP (TCP/80) to find the ISE node, so HTTPS is optional and can be disabled by either removing the 'permit tcp any any eq 443' from the ACL or disabling HTTPS server using 'no ip http-secure server' command.
Let’s say that you have several different types of devices connecting to the same interface and some devices are configured to get dACL from ISE while some are not. For instance, you may configure dACL for PC while no dACL is used for IP Phones. As you test different devices on the network you notice that when you connect a PC behind the IP phone, the IP phone loses connectivity to voice gateway until you unplug the PC. You suspect the dACL so you temporarily change the PC dACL to ‘permit ip any any’ to ensure access from any devices on the port, but the problem persists. Then you decide to use ‘permit ip any any’ dACL for the IP phone as well, and now the IP phone does not get disconnected from the voice gateway when the PC is connected behind it. This is also true when a hub is used to authenticate multiple devices behind a single switch interface. If you have devices already connected and authenticated via hub without dACL and a new device connects with a dACL, then all of the previously connected devices will lose connectivity to the network as the dACL is only permitted from the endpoint assigned to it and not for the other endpoints on the same interface. There are two main options to address this. One option is to ensure dACL is applied to every permission that will be sharing the same physical port or simply run the following global command, which will dynamically insert ‘permit ip host x.x.x.x any’ in case there is no ACL attached to the session and another device is being connected to the same port with a dACL.
SWITCH(config)#epm access-control open
After some time, ISE flushes authentication report for given endpoint to make space for newer logs. This poses unique issue for endpoints such as wired printers, UPS, APs, IP Phones, that seldom reconnects. To address the issue, one can enable reauthentication so ISE always includes an authentication report. Idle timeout is useful when a hub or 3rd party IP phones are used on the network. When client devices are connected via the hub or 3rd party IP phone, there is no way to inform the 802.1X/MAB enabled switch that the client disconnected. Idle timer can be used to flush the session table on the switch when no traffic is seen for a given client. For such timers, it is recommended to send down the value via RADIUS from the ISE instead of hardcoding the value on the switch.
SWITCH(config-if)#authentication periodic
SWITCH(config-if)#authentication timer reauthenticate server
SWITCH(config-if)#authentication timer inactivity server dynamic
Like I stated at the start of this document, given the choices, unless one provides greater value I recommend using the default value. 802.1X & MAB ordering is more subjective than the other settings, but in general leaving the default order of 802.1X and MAB is recommended.
SWITCH(config-if)#authentication order dot1x mab
There may be some cases where doing MAB first is preferred to ensure that devices are getting ip addresses via DHCP server without delay. However, when periodic reauthentication is used with MAB first, the 802.1X authenticated device will be MAB authenticated per ordering of MAB and 802.1X during reauthentication. In order to avoid MAB upon reauthentication for 802.1X devices, you can send down VSA to ensure 802.1X is reauthenticated without going through the MAB first. You can add following VSA to the authorization profile: ‘cisco-av-pair = termination-action-modifier=1’. When using the VSA ensure that the reauthentication timeout is sent by the RADIUS server as opposed to setting it statically on the interface.
SWITCH(config-if)#authentication order mab dot1x
SWITCH(config-if)#authentication priority dot1x mab
If using the default order, endpoints that are not doing 802.1X would need to wait for the 802.1X process to timeout, which takes time as the switch tries 3 times with 30 second wait time with default settings. This equates to 90 seconds of delay in getting the IP address via DHCP from the point the endpoint receives signal on the port. Many endpoints will give up within a minute and will require the endpoint to manually request the IP address. In order to avoid it, it is recommended to reduce the tx-period from 30 seconds to 5 - 10 seconds.
SWITCH(config-if)#dot1x timeout tx-period 7
Port-security feature allows one to tie the MAC address of the endpoint to the switch port for security purposes, but it does not play well with 802.1X. Also, much of what port-security provides in terms of security, can be provided by 802.1X & MAB. One exception is enforcing number of MAC on a given port, which is possible with port-security, but not with 802.1X/MAB. Any port-security commands should be removed from the interface to avoid authentication issues.
SWITCH(config-if)#no switchport port-security
We require ip device tracking to be enabled on the switch and it could cause MAC flapping on the trunked interfaces. Following command can be entered on the uplink trunked ports to disable ip device tracking on the trunked interfaces:
SWITCH(config-if)#ip device tracking maximum 0
This is a common mis-configuration on the interface for the Fail-open/close (AKA critical authentication). Depending on whether the host-mode is set to multi-auth or multi-domain, different fail-open/close VLAN command should be used. When wrong commands are entered, the interface will not fail-open/close:
//For Muti-Domain mode port
SWITCH(config-if)#authentication host-mode multi-domain
SWITCH(config-if)#authentication event server dead action authorize {Optional VLAN ID if different from interface access VLAN}
SWITCH(config-if)#authentication event server dead action authorize voice
SWITCH(config-if)#authentication event server alive action reinitialize
//For Muti-Auth mode port
SWITCH(config-if)#authentication host-mode multi-auth
SWITCH(config-if)#authentication event server dead action reinitialize vlan {Mandatory fail-open/close VLAN ID}
SWITCH(config-if)#authentication event server dead action authorize voice
SWITCH(config-if)#authentication event server alive action reinitialize
With multi-auth and reinitialize, let’s say there are 5 devices already connected to a single switch interface on VLAN 20. No impact to 5 devices, until a new device connects to the same interface during the server dead event. When new device connects and no AAA server available, then the interface will reinitialize to VLAN 50 per configuration below. At this point all 5 + 1 devices are on VLAN 50. In general for fail-open one would configure same VLAN for access VLAN and reinitialize VLAN to minimize user impact.
Note: This is no longer the case with newer Catalyst platforms. Please review Inaccessible Authentication Bypass section of the Advanced ISE tips to make your deployment easier document
Redirect ACL
Why is the DHCP, DNS being called out when it will match the implicit deny?
The universal switch configuration doesn't have this configuration, it only list the web ports.
Hi Robert,
When configuring a Redirect ACL on a switch the "deny" statements actually mean allow this type of traffic
but DO NOT redirect it and the "any" statement means , redirect traffic
Danny
I am focusing on the difference between this page and the switch guide. I want to understand why there is a difference.
From
Universal Switch Configuration for Cisco Identity Services Engine
Step 27
ip access-list extended ACL_WEBAUTH_REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
According to this page I need to add:
deny udp any host {DNS_SERVER} eq domain
deny udp any any host {DHCP_SERVER} bootps
The reason I added DNS and DHCP is that I've found that certain IOS versions did not process DNS requests without the deny specified for the DNS traffic. For some reason the implicit deny was not taking effect for the DNS requests.
Great info! It's always been a challenge to find a solid example of how to properly configure SNMPv3 for ISE profiling. This would be a great place to add that. I'd be willing to bet it's also commonly misconfigured.
What impact does the increasing of the Interim Update timer to once every two days have on IOS Device Sensor? It is/was my understanding that the IOS Device Sensor relies on RADIUS Interim-Accounting updates to be sent to provide ISE with TLVs used in profiling. I assume that limiting the updates to 2 days would prevent those TLVs from being reported quickly on new endpoints that may be needed for profiling and impact authorization in cases where profiling is needed.
Is this the case, or does the IOS Device Sensor TLVs that trigger an Interim Accounting update bypass that timer?
I've been operating off of this assumption, and typically suggest 15 minutes as the timer to my customers to not overload ISE, but provide profiling data with relative quickness. However, I do still see a lot of "Misconfigured NAS" alarms on ISE due to excessive RADIUS accounting information.
Thanks for the insight, good article! Would love some info on this scenario.
Ryan
Good and very informative
I think you should update this for the commands that have been changed to CPL.
*this is for Cisco IOS XE Software, Version 16.09.02*
(config-if)#authentication order dot1x mab
Command deprecated (authentication order dot1x mab) - use cpl config
Thanks for the feedback. We now have a great guide on IOS-XE and I would like to suggest using the prescriptive guide which includes both legacy and CPL based configuration:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: