Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7246
Views
1
Helpful
2
Replies

VLAN Change & Port-bounce Info

Go to solution
matteodapozzo
Level 5
Level 5

‎08-06-2017 02:11 PM

Hi Cisco ISE Community,

I would like to know if anyone have any suggestion on the following scenario:

Guests can connect to the corporate network through wired access in order to browse on the Internet.

Actually I have configured the following on the ISE side:

  • One authorization policy in order to trigger CWA with self registration portal
  • Another authorization policy in order to trigger the VLAN change for the guest user

On the switch side the "guest" switch port is configured as follows:

  • 802.1X + MAB (priority dot1x then mab)
  • switch port by default on the corporate Client VLAN  (if the user that is connecting to that switch port is not using a corporate PC it still need to authenticate through CWA)

The issue here is that when the VLAN change CoA is sent to the switch (including the port-bounce command) the client does not proceed with the new DHCP request ( the port VLAN change from 128 to 116). Actually I didn't figure out if the port-bounce is working correctly because from the switch configuration when I type "no authentication command port-bounce ignore" it still appear in the configuration.

Looking forward to know your opionion.

Thanks.

M.

Below you can find the technical details:

####### SW CONFIG

SW03N#sh run all | i bounce

authentication command bounce-port ignore

SW03N#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SW03N(config)#no authentication command bounce-port ignore

SW03N(config)#end

SW03N#sh run all | i bounce

authentication command bounce-port ignore

####### SW INFO

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 52    WS-C2960X-48TS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M

     2 52    WS-C2960S-48TS-L   15.0(2)EX5            C2960S-UNIVERSALK9-M

####### AUTHORIZATION PROFILE ATTRIBUTES:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:116

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

cisco-av-pair = subscriber:command=bounce-host-port

####### SW switch port facing the client:

interface GigabitEthernet2/0/25

description VLAN Client

switchport access vlan 128

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

speed 100

duplex full

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3

spanning-tree portfast

spanning-tree bpduguard enable

end

####### SW MAB + CoA RADIUS:

Aug  4 16:21:01: RADIUS(00043565): Send Access-Request to 172.17.16.77:1812 id 1645/80,len 268

Aug  4 16:21:01: RADIUS:  authenticator 60 25 BE 92 1E 26 E0 B8 - B1 A2 2F 63 3E 8B 9F 73

Aug  4 16:21:01: RADIUS:  User-Name           [1]   14  "002655f4f36d"

Aug  4 16:21:01: RADIUS:  User-Password       [2]   18  *

Aug  4 16:21:01: RADIUS:  Service-Type        [6]   6   Call Check                [10]

Aug  4 16:21:01: RADIUS:  Vendor, Cisco       [26]  31

Aug  4 16:21:01: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"

Aug  4 16:21:01: RADIUS:  Framed-IP-Address   [8]   6   172.17.129.150

Aug  4 16:21:01: RADIUS:  Framed-MTU          [12]  6   1500

Aug  4 16:21:01: RADIUS:  Called-Station-Id   [30]  19  "70-10-5C-72-2A-99"

Aug  4 16:21:01: RADIUS:  Calling-Station-Id  [31]  19  "00-26-55-F4-F3-6D"

Aug  4 16:21:01: RADIUS:  Message-Authenticato[80]  18

Aug  4 16:21:01: RADIUS:   9B 68 D6 BF 17 67 CA FB 38 47 D5 4B 5B A7 E6 0D            [ hg8GK[]

Aug  4 16:21:01: RADIUS:  EAP-Key-Name        [102] 2   *

Aug  4 16:21:01: RADIUS:  Vendor, Cisco       [26]  49

Aug  4 16:21:01: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=AC1110300004343E10AF1DF4"

Aug  4 16:21:01: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Aug  4 16:21:01: RADIUS:  NAS-Port            [5]   6   50225

Aug  4 16:21:01: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet2/0/25"

Aug  4 16:21:01: RADIUS:  Called-Station-Id   [30]  19  "70-10-5C-72-2A-99"

Aug  4 16:21:01: RADIUS:  NAS-IP-Address      [4]   6   172.17.16.48

Aug  4 16:21:01: RADIUS(00043565): Started 5 sec timeout

Aug  4 16:21:01: RADIUS: Received from id 1645/80 172.17.16.77:1812, Access-Accept, len 245

Aug  4 16:21:01: RADIUS:  authenticator 32 4F BD 12 EF 5A 4B AD - 71 DB 2E C5 9B 68 DA EA

Aug  4 16:21:01: RADIUS:  User-Name           [1]   10  "test1234"

Aug  4 16:21:01: RADIUS:  State               [24]  40

Aug  4 16:21:01: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 41 43  [ReauthSession:AC]

Aug  4 16:21:01: RADIUS:   31 31 31 30 33 30 30 30 30 34 33 34 33 45 31 30  [1110300004343E10]

Aug  4 16:21:01: RADIUS:   41 46 31 44 46 34            [ AF1DF4]

Aug  4 16:21:01: RADIUS:  Class               [25]  54

Aug  4 16:21:01: RADIUS:   43 41 43 53 3A 41 43 31 31 31 30 33 30 30 30 30  [CACS:AC111030000]

Aug  4 16:21:01: RADIUS:   34 33 34 33 45 31 30 41 46 31 44 46 34 3A 67 61  [4343E10AF1DF4:ga]

Aug  4 16:21:01: RADIUS:   2D 69 73 65 2F 32 39 31 31 32 39 32 34 31 2F 31  [-ise/291129241/1]

Aug  4 16:21:01: RADIUS:   38 33 34 38              [ 8348]

Aug  4 16:21:01: RADIUS:  Session-Timeout     [27]  6   59887

Aug  4 16:21:01: RADIUS:  Termination-Action  [29]  6   0

Aug  4 16:21:01: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]

Aug  4 16:21:01: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]

Aug  4 16:21:01: RADIUS:  Message-Authenticato[80]  18

Aug  4 16:21:01: RADIUS:   B3 61 E1 9F CD B9 61 81 D5 FD 8F 04 76 FE D2 9C               [ aav]

Aug  4 16:21:01: RADIUS:  Tunnel-Private-Group[81]  6   01:"116"

Aug  4 16:21:01: RADIUS:  Vendor, Cisco       [26]  43

Aug  4 16:21:01: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"

Aug  4 16:21:01: RADIUS:  Vendor, Cisco       [26]  30

Aug  4 16:21:01: RADIUS:   Cisco AVpair       [1]   24  "profile-name=HP-Device"

Aug  4 16:21:01: RADIUS(00043565): Received from id 1645/80

Aug  4 16:21:01: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Aug  4 16:21:01: %MAB-5-SUCCESS: Authentication successful for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug  4 16:21:01: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug  4 16:21:01: %AUTHMGR-5-VLANASSIGN: VLAN 116 assigned to Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

Aug  4 16:21:02: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.55f4.f36d) on Interface Gi2/0/25 AuditSessionID AC1110300004343E10AF1DF4

####### SW AUTH SESSION DETAILS

SW03N#show authentication sessions interface gigabitEthernet 2/0/25

            Interface:  GigabitEthernet2/0/25

          MAC Address:  0026.55f4.f36d

           IP Address:  172.17.129.150

            User-Name:  test1234

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  116

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC1110300004343E10AF1DF4

      Acct Session ID:  0x0004355B

               Handle:  0x49000DF1

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

1 Accepted Solution

Accepted Solutions

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎08-07-2017 07:51 AM

Hi Matteo,

How are you sending CoA Port-Bounce for CWA ? I tried sending CoA Port-Bounce for the same use case but still could not make it work on 3850.

Our customer also wanted to have change of vlan using guest and we came up with a solution using macros for 3850.

Please see this link https://communities.cisco.com/thread/81859

However this solution might not work well in a multi-auth environment behind an IP Phone as we are disabling dot1x on ports where guests are connected.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Craig Hyps
Level 10
Level 10

‎08-07-2017 04:26 AM

In general, VLAN change is not a good idea for guest users since the connection is MAB, CoA for CWA is a reauth, and the client will not detect VLAN change, thus retains original IP.  Consider SGTs, or device registration with terminate COA or else a workaround could be configuring the NAD profile as non-Cisco and disable reauth CoA option.

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎08-07-2017 07:51 AM

Hi Matteo,

How are you sending CoA Port-Bounce for CWA ? I tried sending CoA Port-Bounce for the same use case but still could not make it work on 3850.

Our customer also wanted to have change of vlan using guest and we came up with a solution using macros for 3850.

Please see this link https://communities.cisco.com/thread/81859

However this solution might not work well in a multi-auth environment behind an IP Phone as we are disabling dot1x on ports where guests are connected.

0 Helpful
Customers Also Viewed These Support Documents