Solved: ISE Node Failure & Pre-Auth ACL

rmujeeb81 · ‎07-08-2013

Hi All,

I would like to know that, what should be the best practice configuration for following points,

1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.

2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?

Here is the port configuration and pre-auth ACL which I am using in my network,

Interface Fa0/1

switchport access vlan 30

switchport mode access

switchport voice vlan 40

ip access-group ISE-ACL-DEFAULT in

authentication event fail action authorize vlan 30

authentication event server dead action authorize vlan 30

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation protect

mab

dot1x pae authenticator

dot1x timeout tx-period 5

*****************************************

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny ip any any log

Thanks & Regards,

Mujeeb

Eduardo Aliaga · ‎07-08-2013

Hello

About question 1, since you're using "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.

But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"

About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.

Please rate if this helps.

View solution in original post

Jatin Katyal · ‎07-09-2013

See replies inline:

authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?

If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it is not notified of the actual authentication failure. If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?

The above command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.

authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?

This can be used to reinitialize an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting server becomes available.

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-13-2013

I guess you wanted to talk about this command

authentication event server dead action authorize vlan 30

However, you mentioned the below mentioned command in you last post

authentication event fail action authorize vlan 30

If you've not configured critical vlan then you can remove this command:

authentication event server dead action authorize vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Karsten Iwen · ‎07-08-2013

1) for that you have a "critical auth vlan" that you can assign in case that no RADIUS-server is available. You already have that in your config.

authentication event server dead action authorize vlan XXX

2) My default-acl is typically not that permissive as yours:

ip access-list extended PORT-DEFAULT-ACL

! allow DHCP

permit udp any eq bootpc any bootps

! allow dns to DNS-server

permit udp any host 10.10.10.1 eq 53

permit udp any host 10.10.10.2 eq 53

! PING is fine

permit icmp any any echo

! PXE is ok

permit udp any any eq tftp

with your ACL, an unauthenticated user already has full access to your domain-controller which is far too much in my opinion.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

andre.ortega · ‎02-11-2015

Hello Karsten,

please, in your enviroment, without the access to domain controller before authentication, what happens when an user try to access a computer for first time?

Do you use Anyconnect NAM as supplicant?

Regards.

Eduardo Aliaga · ‎07-08-2013

Hello

About question 1, since you're using "authentication host-mode multi-domain" then "authentication event server dead action authorize vlan X" is the way to go.

But if you are using "authentication host-mode multi-auth" then you should use "authentication event server dead action reinitialize vlan X"

About question 2 it's not mandatory to use pre-auth ACL. My current deployment have IP phones , since I use radius profiling and CDP then ISE can detect and authorize the IP phones even though the switch blocks all packets. That' why I don't need pre-auth ACLs.

Please rate if this helps.

rmujeeb81 · ‎07-09-2013

Hi,

I am using following configuration on the ports,

Interface Fa0/1

switchport access vlan 30

switchport mode access

switchport voice vlan 40

ip access-group ISE-ACL-DEFAULT in

authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?

authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?

authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation protect

mab

dot1x pae authenticator

dot1x timeout tx-period 5

Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny ip any any log

Thanks

Jatin Katyal · ‎07-09-2013

See replies inline:

authentication event fail action authorize vlan 30----> What would be the behaviour due to this command ?

If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it is not notified of the actual authentication failure. If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?

The above command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.

authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?

This can be used to reinitialize an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting server becomes available.

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

rmujeeb81 · ‎07-11-2013

Hi,

So I should remove following command from ports as we don't have critical VLAN in our setup ?

authentication event fail action authorize vlan 30

Kindly note that vlan 30 is the actual data vlan.

**********************

For the "authentication event fail action authorize vlan 30" command port will have vlan 30 if ISE node become unreachable but we have following ACL on all ports so users will get very limited access,

ip access-list extended ISE-ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS and Domain Controllers

permit ip any host 172.22.35.11

permit ip any host 172.22.35.12

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Deny All

deny ip any any log

So, should I modify this ACL or completely remove ?

Thanks & Regards,

Mujeeb

rmujeeb81 · ‎07-13-2013

Dear All,

Kindly guide on the queries which I posted in the latest response.

Thanks

Jatin Katyal · ‎07-13-2013

I guess you wanted to talk about this command

authentication event server dead action authorize vlan 30

However, you mentioned the below mentioned command in you last post

authentication event fail action authorize vlan 30

If you've not configured critical vlan then you can remove this command:

authentication event server dead action authorize vlan 30 because this actually enables the critical auth (aka inaccessible AuthenticationBypass) feature on the port. With this feature enabled, If an IEEE 802.1x authentication fails because the AAA server is unavailable, the switch can be configured to allow clients access to a special VLAN (sometimes called the "Critical VLAN") that provides configurable access to the network. The Critical VLAN can be any VLAN except for the voice VLAN.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

andre.ortega · ‎02-12-2015

Hello there,
I got the same doubt.
I can use authentication event server dead action authorize vlan XX, but If I am using pre authentication ACL the access will be limited, isn't it?
Regards.

bikespace · ‎05-11-2015

Absolutely! Such a disappointing solution. You'll notice this question is skirted around. You can use EEM scripts to add lines to the pre auth acl but it really feels like a bodge. Obviously you'll have to remove these lines too. Feature request needed to be able to specify an acl which will be applied when critical vlan is applied. Cisco need to start listening and start thinking.

GERALD LECAILLIER · ‎08-06-2014

Hello,

We have an issue with the "authentication event server alive action reinitialize".

- The critical auth (if server dead) works fine > the users move to vlan 43

- authentication event server alive action reinitialize: when the ISE is back to alive, the 802.1X process is reinitialized, the users get their Vlan and Dacl (dynamic vlan et acl). The problem is that it seems they dont make an IP DHCP request, and they cant communicate in their Vlan - if we unplug/plug cable (or shut/no shut) the port, the process works fine, and they get an ip address.

interface FastEthernet0/12

description Port-NAC
switchport access vlan 43
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 43
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-req 1
macro description Port-NAC
spanning-tree portfast
spanning-tree bpduguard enable
end

Port with DEAD server > see the screenshot

Reintialize > see the screenshot / we will notice the Vlan and Dacl are OK / but no IP ADDRESS.

If you have an idea...

Thanks

Peter Koltl · ‎02-15-2015

It is not a big risk if the default port ACL seems too permissive as long as you make sure ISE authorization rules assign a proper dynamic ACL by all means.