Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
0
Replies

Network devices power outage issue with 802.1x in Cisco ISE

f.arabi1991
Level 1
Level 1

‎07-16-2018 04:02 AM - edited ‎02-21-2020 11:00 AM

hi 

I deployed 802.1x  and MAB in Cisco ISE 2.3 on switches which all have ios 15.2 version:

 

aaa new-model
!
!
!
aaa group server radius ISE-R
server 192.168.100.248 auth-port 1812 acct-port 1813 key dot1x


!

aaa authentication dot1x default group ISE-R local
aaa authorization config-commands
aaa authorization network default group ISE-R local
aaa accounting update periodic 5
aaa accounting identity default start-stop group ISE-R
aaa accounting system default start-stop group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa server radius dynamic-author
client 192.168.100.248 server-key dot1x
!
!
!
!
!

aaa session-id common
dot1x system-auth-control

 

snmp-server community public RO
snmp-server trap-source Vlan 100
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.100.248 version 2c public mac-notification snmp

radius-server attribute 6 support-multiple
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
Radius-server vsa send accounting
Radius-server vsa send authentication
Ip radius source-interface vlan <>
!
radius server ISE-R
address ipv4 192.168.100.248 auth-port 1812 acct-port 1813
timeout 3
key dot1x

 

////11111111////

dot1x system-auth-control

service-template webauth-global-inactive

 inactivity-timer 3600

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

 linksec policy must-secure

service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

 linksec policy should-secure

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

 voice vlan

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

!

!

!

!

/////222222////

parameter-map type webauth AI_NRH_PMAP

 type authbypass

!

!

parameter-map type webauth AI_WEBAUTH_PMAP

 type webauth

!

vlan internal allocation policy ascending

!

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

 match result-type aaa-timeout

 match authorization-status authorized

!

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

 match result-type aaa-timeout

 match authorization-status unauthorized

!

class-map type control subscriber match-all DOT1X

 match method dot1x

!

class-map type control subscriber match-all DOT1X_FAILED

 match method dot1x

 match result-type method dot1x authoritative

!

class-map type control subscriber match-all DOT1X_MEDIUM_PRIO

 match authorizing-method-priority gt 20

!

class-map type control subscriber match-all DOT1X_NO_RESP

 match method dot1x

 match result-type method dot1x agent-not-found

!

class-map type control subscriber match-all DOT1X_TIMEOUT

 match method dot1x

 match result-type method dot1x method-timeout

!

class-map type control subscriber match-all MAB_FAILED

!

!

!

 

 

//////33333////// 

 

policy-map type control subscriber POLICY_Interface

 event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

 event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  20 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  40 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

 event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

 event inactivity-timeout match-all

  10 class always do-until-failure

   10 clear-session

 event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

 event violation match-all

  10 class always do-until-failure

   10 restrict

 

/////interface configuration//////////

 

switchport access vlan <>
switchport mode access
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
service-policy type control subscriber POLICY_Interface

 

all end users work fine until the power outage, after power outage and when switches booting up some users couldnt access to network and in switch "authentication failed" log appeared (but some users still work fine), in RADIUS LIVE LOGS in cisco ise I saw those users with authentication failed log checked by MAB instead of dot1x role in ISE , so I remove the "Mab" command from interface configuration , after this change, after power outage there isnt any "authentication failed" log in switch anymore but some users still didnt have network access , for solution they must unplug and plug their network cable from their cases,then they have network access, what's wrong with 802.1x ?? or its from my configuration ? 

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents