12-07-2017 04:08 PM - edited 02-21-2020 10:41 AM
Hi everybodu,
I have try to use C3PL but event violation not working. I mean when user authentication with dot1x or MAB failed, they still get access to network. The log on ISE showing they authentication failed and when i use command "show authentication session interface x/x/x detail" Status is UnAuthor. Method status list : both of dot1x and MAB is Authen Failed. But user still have access to network. There is nothing wrong with my Authen/Author rule on ISE cause when i use IBNS - classic, it work fine. Except that, everything working fine. DOT1X and MAB running at the same time, Fail-Open working fine. Are there anyway, any command to show that event violation are working or not. I mean, when you using port-security. You can use command "show port-security interface fx/x" to see what violation. And can you take a look on my configuration ? My configuration is below :
enable config terminal no ip domain lookup lin con 0 logg syn exit hostname POC-SW1 ip domain-name Pru-POC username admin password 123456 enable secret 123456 crypto key generate rsa general-keys modulus 1024 vtp mode tran vlan 195 name DATA vlan 14 name VOICE exit int range g1/0/1-12 spanning portfast switchport access vlan 195 switchport voice vlan 14 exit int vlan 195 ip add 10.145.195.245 255.255.255.0 no shut exit int g1/0/48 switchport access vlan 195 switchport voice vlan 14 exit ip default-gateway 10.145.195.1 aaa new-model aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa session-id common aaa accounting update periodic 5 radius-server host 10.145.220.19 auth-port 1812 acct-port 1813 key abcd2314 radius-server dead-criteria time 30 tries 3 radius-server vsa send authentication radius-server vsa send accounting radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ip radius source-interface vlan 195 aaa server radius dynamic-author client 10.145.220.19 server-key abcd2314 exit dot1x system-auth-control ip device tracking logging console information class-map type control subscriber match-any AAA-DOWN yes match result-type aaa-timeout exit class-map type control subscriber match-all DOT1X-FAILED match method dot1x match result-type method dot1x authoritative exit ip access-list extended ACL-ALLOW permit ip any any exit service-template CRITICAL access-group ACL-ALLOW exit policy-map type control subscriber DOT1X-DEFAULT event session-started match-all 10 class always do-all 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 exit exit event violation match-all 10 class always do-all 10 restrict exit exit event authentication-failure match-all 10 class AAA-DOWN do-all 10 authorize 20 activate service-template CRITICAL 30 terminate dot1x 40 terminate mab exit 20 class DOT1X-FAILED do-all 10 authenticate using mab exit exit exit interface range g1/0/5-6 switchport host switchport access vlan 195 switchport voice vlan 14 service-policy type control subscriber DOT1X-DEFAULT authentication periodic authentication timer reauthenticate server mab access-session host-mode multi-auth dot1x timeout tx-period 10 access-session port-control auto exit
12-07-2017 05:18 PM
12-08-2017 12:08 AM
HI Francesco Molino,
I don't using authentication display new-style cause i think it inly need when you have IBNS 1 (CPL) and you want to migration to IBNS 2 (C3PL). And i'm just using C3PL so i don't need that. And about log, i'm using these command :
- logging console information
- debug aaa authentication
- debug aaa authorization
- debug aaa accounting
But the problem is it only show failed authentication but not success authentication logs. Are there any log/debug command that i miss ? And below is all command i put into Switch.
12-08-2017 05:17 AM - edited 12-08-2017 05:25 AM
So we don't have the full output, we don't see if there was any legacy commands, that's why I asked about authentication display new-style.
Can you change the logging to debugging and add a debug radius to see what's going on with violation mode?
If you do a show authentication, can you see the violation parameter configured?
How are you testing it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide