collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE, Brocade switch and securedock  (Read 40827 times)

Offline czekon26

  • Cisco Newbie
  • *
  • Posts: 10
  • Reputation: 2
  • Certification: N/A
ISE, Brocade switch and securedock
« on: August 10, 2016, 06:48:46 AM »
Hello,

During deployment of 802.1.x which is based on Brocade switches I encountered a problem.
When port is enabled for 802.1x i mac-authentication and we connect PC with secure dock to that port then connection to securedock i blocked  and PC remains encrypted unless we provide the password manunally. When the port operates without any authentication securedock communication works fine and decrypts automatically. Pre_auth_acl is not helping in that case. On the other hand on cisco switch all works fine with the same acl.

Initial connection steps when checking by: sh dot1x session command:
1)
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age          PAE 
            Addr              Addr            Name                State                                State
------------------------------------------------------------------------------------------------------
1/1/12      d4cd.d977.f989    N/A      N/A          4092  init      none     S45     CONNECT

2) Session moved to restricted vlan 300
sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age      PAE 
            Addr              Addr            Name                State                           State
------------------------------------------------------------------------------------------------------
1/1/12  d4cd.d977.f989     N/A         N/A           300   init      none     Ena     HELD

3) and then moved to port vlan with different mac address assigned to the session
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age   PAE 
            Addr              Addr            Name                State                         State
------------------------------------------------------------------------------------------------------
1/1/12   0180.c200.0003    N/A        N/A           301   init      none       N/A   CONNECT

For some reason MAB policy is telling that authentication is failed because the endpoint is not found in the identity store but it is not true. Endpoint is added correctly. looks like MAB is not being triggered correctly.  Any Idea what can be wrong.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE, Brocade switch and securedock
« Reply #1 on: August 11, 2016, 09:10:33 PM »
I am not familiar with Brocade switch but will give it a try. I assume you are trying MAB authentication and the switch supports it? If so, what's the Radius log looks like in the detail? Can you provide screenshot?

Offline czekon26

  • Cisco Newbie
  • *
  • Posts: 10
  • Reputation: 2
  • Certification: N/A
Re: ISE, Brocade switch and securedock
« Reply #2 on: August 12, 2016, 01:15:07 AM »
Hi,

Yes i'm trying mab auth becouse the PC i encrypted end OS is not even started yet. Yesterday i done some more tests and find out that when I change the radius attribute of Radius:Service-Type = Call Check to Radius:Service-Type = Framed  and ad the internal endpoints to auth policy it then works fine and can find the user in local database by using mac address. Very starnge.

Summarizing:
In the policy auth section when we use to have spearate policy for mab and dot1x currently when I use only one policy when I configured Radius:Service-Type = Framed and internal endpoints + All AD Jointpoints it all works fine but Im not sure is this is allowed configuration.

Also in ISE 2.0 i can see that radius attributes for MAB ( CISCO and brocade are different) :
CISCO:
Radius:NAS-Port-Type = Ethernet   
Radius:Service-Type = Call Check

Brocade:
Radius:NAS-Port-Type = Ethernet   
Radius:Service-Type = Framed   
Radius:User-Name = Radius:Calling-Station-ID


Looks like this my be the reason of my problem.


Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE, Brocade switch and securedock
« Reply #3 on: August 16, 2016, 11:21:54 PM »
That's was what I suspected which was why I asked for the RADIUS log. Since MAB is not a standard, it is implemented differently among vendors. Evidently the attributes used by Brocade switch is not the same as Cisco hence caused the policy not to be matched. This is where the use for Network Device Profile comes in.
Thanks for sharing the detail and nice troubleshooting.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
23263 Views
Last post November 01, 2013, 04:02:15 AM
by adecisco
3 Replies
57943 Views
Last post April 19, 2018, 12:23:39 AM
by Kaikagaga
1 Replies
42706 Views
Last post April 14, 2014, 11:49:40 PM
by MC
1 Replies
29402 Views
Last post October 09, 2014, 11:24:15 PM
by Administrator
3 Replies
48933 Views
Last post June 24, 2018, 07:46:41 PM
by pinyowit

SimplePortal 2.3.7 © 2008-2024, SimplePortal