Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
5
Helpful
4
Replies

SD Access 802.1X Wired Just authenticate one user

Go to solution
Heriberto Diaz
Level 1
Level 1

‎11-18-2019 11:10 AM

I have a issue with 802.1X, when I connect a laptop to port G1 / 0/2 it authenticates successfully and is reflected with the command show authentication session int g1 / 0/2 det and also in ISE but when I connect a second device in The G1 / 0/3 port does not see any session with sh authenticate session nor in the ISE but in the network card if the connection established to the domain appears and  can have internet access.

 

I am using SD-Access Fabric with the closeAuthentication template.

Current configuration : 390 bytes
!
interface GigabitEthernet1/0/2 and G1/0/3
switchport access vlan 1038
switchport mode access
device-tracking attach-policy IPDT_MAX_10
load-interval 30
cts manual
policy static sgt 4
no propagate sgt
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no macro auto processing
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
end

!

!

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan 2047
switchport mode access
switchport voice vlan 4000
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

!

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60
!

 

Also we did the test on other switch without SD-Access and the 802.1X authentication works fine with the same ISE, connecting 3 laptops and all session are shows.

 

Does anybody know what I missing? 

 

Thanks and regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Heriberto Diaz

‎11-19-2019 08:28 AM

So the default host template will push the configs to your ENs in your fabric. You must then provision ports with Auth Template 'Closed Auth' if that is what you wish to use. On that same g1/0/4 try that, and let us know your outcome. Again, you can assign policy via ISE and then just setup your interfaces as DEVICE_TYPE User Devices & Auth Temp Closed Auth. HTH!

View solution in original post

4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-19-2019 06:34 AM

A few things:
If you have ISE implemented into your solution why not rely on ISE to push policy + SGT instead of statically assigning VN+SGT to port as you show in the config. I would check for a discrepancy either in how you configured the interfaces in host onboarding section, or if there is a discrepancy between the workstation supplicant configuration between the two hosts configured/tested.
0 Helpful

Go to solution
Heriberto Diaz
Level 1
Level 1
In response to Mike.Cifelli

‎11-19-2019 08:06 AM

Hi Mike

 

I used host onboarding to push the config on both ports, 

template_auth.jpg

 

port_assigment.jpg

Regards and Thanks

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Heriberto Diaz

‎11-19-2019 08:28 AM

So the default host template will push the configs to your ENs in your fabric. You must then provision ports with Auth Template 'Closed Auth' if that is what you wish to use. On that same g1/0/4 try that, and let us know your outcome. Again, you can assign policy via ISE and then just setup your interfaces as DEVICE_TYPE User Devices & Auth Temp Closed Auth. HTH!

Go to solution
Heriberto Diaz
Level 1
Level 1
In response to Mike.Cifelli

‎11-19-2019 08:56 PM

Mike

 

I deleted the CTS Manual (Policy static sgt) and configured cts role-based enforcement and finally the laptops authenticated.

 

 Thanks and regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents