View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0041 - ISE 1.1 Profiling, Probing, and MAC Authentication Bypass (Part 2)

Rating: 
4.5
Average: 4.5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

 

The video introduces you to the concept of device profiling and MAC Authentication Bypass (MAB) on Cisco ISE. We will start by going through different type of probing, how devices get profiled with Profiling policies, and how to create an Endpoint Identity Group for the profiled devices to be used in authorization policies. Static MAC address and Identity Group will be configured for devices that cannot be profiled. Cisco IP Phone and Access Point will be used in our demonstration.
Part 2 of the video covers MAB, authentication and authorization policies creation, and testing.
Topic:
  • Profiling
  • Probing
  • MAC Authentication Bypass (Wired)
  • Endpoint Identity Group
  • Downloadable ACL
  • Authorization Profile

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

26 comments

Great video!!
Q. - I noticed in my deployment of ISE, my mab devices do not reauthenicate automatically after a power lost. My switch is configured with "authentication timer restart 1800" and "authentication timer reauthenticate server" and CoA set to ReAuthenticate on ISE.
Any inputs on reauthenticating these devices automatically?

That is odd.. MAB should run everytime a switchport comes up. You might want to check the switch config against the video bloew.

http://www.labminutes.com/sec0038_ise_1_1_switch_wlc_recommended_config_1

My MAB is not working for my Cisco IPphone 8841.
The mac address of the phone is 1ce8.5dc8.229b, and when I connect to the switch it comes as unknown identity-group, so if I go to Cisco IP-phone identity-group and manually add that mac address, then the phones get profiles and MAB works.
The issue I am having is my ISE is not automatically profiling the phone.
I did check the profiles group and there was no group for Cisco 8841 phones, so I create one profile condition which looks for the first 6 digits of the mac address "1c:e8:5d “
I then created a profile-policy named Cisco-IP-Phone-8841, which call my profile-condition, so if my profile-condition is met the certainty factor increases 10, and my profile-policy minimum certainty factor is 10. The Parent-policy of my profile-policy is Cisco-IP-Phone, which came by default.
I think I’ve done everything right, I’ve watch this video 6 times in case I miss anything but I don’t think so.
I am running ISE 1.3, Cisco 2960S with IOS c2960s-universalk9-mz.150-2.SE6

You might be better off duplicating one of the existing IP Phone policy and modify the matching condition, most like CDP. Anyhow, on our ISE box, we have " Cisco-IP-Phone-8841" policy that comes by default. If you don't see that, you might want to update the feed service.

Delete. Found my issue.

Here is my topology :

(User-Win7)-----(vlan 139)-------(switch)---------(Vlan 200)-------(ISE)
.............................................................\
............................................................. --------(VLAN 200)-------(DHCP)
Switch have 2 interface vlan :
interface vlan 139 : 10.137.4.1
interface vlan 200 : 192.168.11.2
DHCP : interface f0/0 : 192.168.11.1
ISE : interface gigabitEthernet 0 : 192.168.11.69
i make sure that interface vlan 139 can reach ISE and DHCP
In switch, i config interface access vlan 139 with command below :
int e0/1
switchp host
switchp acce vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
exit

and on int vlan 139 i config like this
ip address 10.137.4.1 255.255.255.0
ip helper-address 192.168.11.69
ip helper-address 192.168.11.1

Cause i only want user that enable 802.1x can access to network so i don't use mab
It work fine when i turn on 802.1x on user-win7. Only valid username and password can access.
But when i turn off 802.1x on user-win7. It still can receive IP from DHCP and can access to network.
I don't know how it could be.
Here is my policy :
Authentication :
Name : 802.1x-ONLY If Radius:NAS-Port-Type EQUALS Ethernet Allow Protocols : Default Network Access
Default : use Internal Users
Default Rule (If no match) : Allow Protocols : Default Network Access and use : DenyAccess
Authorization :
802.1x-ONLY if IT-User AND (Radius:NAS-Port-Type EQUALS Ethernet AND Network Access:AuthenticationStatus EQUALS AuthenticationPassed ) then PermitAccess
Default if no matches, then DenyAccess

Can i contact with you through Gmail. Here is my Gmail : lnhquang1993@gmail.com

Because you have "authentication open" command, the interface will always allow access regardless of .1x result. Try to remove it. 

Thanks so much. One more think i want to ask is about "ip helper-address". In the video, i notice that you only use it point to ISE. But went i working with my lab, without "ip helper-address" point to dhcp-server in the interface that i use ( Interface vlan 139), even user was authorization success still can't receive IP. Only after iadd "ip helper-address" point to dhcp-server, user (authorization success ) can receive. But if i add, any pc, any user can recieve IP regardless authorization or not. It still happen after i remove "authentication open"

To prevent user from getting IP address, you need to make sure they fail .1x authentication. If they pass .1x, then you may not have your auth policy configured correctly. The auth result to fail .1x is "DenyAccess"

Hi, i have a question. Is there any problem if we choose MAB is the first Authentication method or dot1x is the first authentication method ? Cause someone told me : "Just for your information, if you start your authentication with MAB as 1st, you're gonna face issues. Let me explain. If a windows machine is configured to authenticate in dot1x, this gonna be its 1st authentication method and only if that fails it will switch to MAB. This has been said, it means, that if you start your authentication rules with MAB then you won't be able to switch mab using dot1x because your machine won't restart the process." Is this true ?

That is incorrect. Generally it doesn't really matter if you do MAB or .1x first as you normally set .1x to take priority over MAB. Even if you have MAB first and it succeeds, an endpoint that is capable of .1x will succeed soon after and override MAB. If you have heavy .1x users, then lead with .1x, but if you expect a lot of non-.1x or guest device, then use MAB. All of these also depend on the command syntax you are using (ie.g Authentication vs Access-session) as they are configured differently.

Hi, if i let dot1x is the first authentication. Then Endpoint using MAB must untill dot1x fail and finish it retry. Is there any way to put dot1x to be the first method but Endpoint using MAB method don't have to wait and immediatetly authentication using MAB without waiting ?

You need a switch with software version that support C3PL. Then you can have .1x and MAB run concurrently. As long as you use switch with 'authentication' command, you have to pick either to have .1x or MAB run first.

Hi
kindly advice , how can i differentiate between laptops and desktops machines , as i need to create a separate rule fro each type ,
BR

You would need something that can help ISE differentiate between the two. One of the way is to use unique certificate for example using different OU and you can configure auth prolicy to match that.

Hi, i was ask about this before and you give me this link :
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ide...
But, unfortunately my Switch doesn't support those command. But i has found orther guy using these command :

Determine Radius server dead :
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5

dot1x critical eapol
int f0/1
authentication event server dead action authorize vlan 195 # Authorze for vlan 195 when Radius server dead.
authentication event server dead action authorize voice # Authorze for voice vlan when Radius server dead.
authentication event server alive action reinitialize # Reauth when Radius server live again.
exit

Can those command abow make faild open function work ? I has try this but when is cut the link from ASW to ISE. It keep retry to authentication It seem like retry forever till Radius Server live again. I thought when we configure retries time like 3. After 3 retries, It must not retries to authentication right ?
And i see some syslog like : Radius server [ip] is mark alive ... What ? Why it mark alive when still cann't connect to it ? Is this the reason why switch still retries to authentication ? My configuration is below :
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa accounting update periodic 5
radius-server host 10.145.220.19 auth-port 1812 acct-port 1813 key abcd2314

radius-server dead-criteria time 30 tries 3
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

int vlan 195
ip add 10.145.195.245 255.255.255.0
exit
ip radius source-interface vlan 195

aaa server radius dynamic-author
client 10.145.220.19 server-key abcd2314
exit

access-list 10 permit host 10.145.220.19
access-list 10 deny any log

ip access-list ext ACL_DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 10.145.220.19
deny ip any any log
exit

dot1x system-auth-control
ip device tracking
int range f0/1-6
switchport host
switchport acc vlan 195
ip access-group ACL_DEFAULT in
spanning-tree portfast
spanning-tree bpduguard ena
authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method
authentication host-mode multi-auth
authentication violation restrict
dot1x pae authenticator
mab
dot1x timeout tx-period 10
authentication port-control auto
exit

radius-server deadtime 5
dot1x critical eapol

int f0/1
authentication event server dead action authorize vlan 195
authentication event server dead action authorize voice
authentication event server alive action reinitialize
exit

Hope you can help.
Many thanks,
Quang

What is your switch model and software version?

Hi,
i'm using SWitch Cisco 2960 with ISO : 15.0SE

SW1(config)#
*Mar 1 05:22:51.325: %RADIUS-6-SERVERALIVE: Group radius: Radius server 192.168.20.250:1812,1813 is responding again (previously dead).
SW1(config)#
*Mar 1 05:22:51.325: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.20.250:1812,1813 is being marked alive.
Above is the exactly syslog on Switch. I really don't understand this log. How can Radius server responding agian when i was unplug the cable connect from Sw to ISE. Maybe this cause Sw continue retry. T guess

Those commands should be correct then. RADIUS log messages you see might be cosmetic. Just make sure you upgrade to the latest 15.0. If you continue to have issue, might not be a bad idea to try it on another switch model as well. 

So, nothing wrong about my commands right ? At least i want to know that. Thank for your helps.

Hi Labminutes,

I have try to use C3PL but event violation not working. I mean when user authentication with dot1x or MAB failed, they still get access to network. The log on ISE showing they authentication failed and when i use command "show authentication session interface x/x/x detail" Status is UnAuthor. Method status list : both of dot1x and MAB is Authen Failed. But user still have access to network. There is nothing wrong with my Authen/Author rule on ISE cause when i use IBNS - classic, it work fine. Except that, everything working fine. DOT1X and MAB running at the same time, Fail-Open working fine. Are there anyway, any command to show that event violation are working or not. I mean, when you using port-security. You can use command "show port-security interface fx/x" to see what violation ? If you have time, please take a look on my configuration :
https://1drv.ms/t/s!AsSWDVnQCgTFgZslAjPjxKc7_omIsQ

Sounds like problem on switch config. Can you show the interface config?

interface range g1/0/1-24
switchport host
switchport access vlan 195
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
exit

Hi i think i might resolve my problem. Last time, i config only C3PL (IBNS 2.0) and it dosen't work. Nơ i try to configure CPL (IBNS 1 - classic) first. I'm testing and everything work fine, then i write config and use command "authentication display new-style" to move to C3PL. And everything working fine. I think we must config cpl first then move to c3pl. Not directly config C3PL but it jusst what i guess base on what i see on my lab. Not sure it the reason. And one more thing i like to ask is about fail open. After ISE is being mark dead. Port is authorized and user can connect to network. But every 3 minutes, Sw check is ISE alive again and while Sw check it, Ports is unauthorized and user lost connect. If ISE still down, Ports change to authorized again. It go on and on till ISE really live again. I thinks it because these commands :
radius-server dead-criteria tries 2
radius-server deadtime 3

Is there any way to config Ports keep Authorized status till ISE really alive again. User only lost connect to network when ISE down and when ISE really alive again. Not every 3 minutes. Can we do that ?

If everything worked after you did the command conversion, you might want to compare the config to what you had previosuly. The chances are you might have been missing some commands before. There should be a logic built into C3PL to keep port authorized, and only reauthenticate endpoint when AAA becomes alive (see below).

event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
25 activate service-template CRITICAL-ACCESS
30 authorize
40 pause reauthentication
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session