Security

 View Only
last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco 9300 Switch (IBNS 2.0) Policy-map

This thread has been viewed 9 times
  • 1.  Cisco 9300 Switch (IBNS 2.0) Policy-map

    Posted Sep 28, 2022 12:08 AM
    I noticed for sometime now that cisco 9300 switches configured as  per the bellow :
    policy-map type control subscriber CPass-Pol
    event session-started match-all
    10 class always do-until-failure
    10 authenticate using dot1x priority 10
    20 authenticate using mab priority 20
    event authentication-failure match-first
    30 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authentication-restart 60
    40 class MAB_FAILED do-until-failure
    10 terminate mab
    20 authentication-restart 60
    50 class DOT1X_FAILED do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
    60 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 60
    event agent-found match-all
    10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x priority 10

    Ports do not reauthenticate at all. Is the above policy-map sufficient for good operation?

    On another note, If i will add the following lines to the policy-map as per the  Cisco Switch FlexAuth and Admin Authentication (Aruba Solution Exchange):

    event authentication-success match-all
    10 class always do-until-failure
    10 activate service-template IA-TIMER
    event inactivity-timeout match-all
    10 class always do-until-failure
    10 unauthorize

    I get printers and couple of other device not to be able to re-authenticate 802.1x
    Any Clues why?


  • 2.  RE: Cisco 9300 Switch (IBNS 2.0) Policy-map

    Posted Oct 03, 2022 02:53 AM
    Hi

    Also on a 9300 IOS-XE 16.12 i'm using following Policy:

    policy-map type control subscriber POLICY_BASE
    event session-started match-all
    10 class always do-until-failure
    10 authenticate using dot1x retries 2 retry-time 0 priority 10
    event authentication-failure match-first
    5 class DOT1X_FAILED do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
    10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
    10 clear-authenticated-data-hosts-on-port
    20 activate service-template CRITICAL_AUTH_VLAN_BASE
    30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
    40 authorize
    50 pause reauthentication
    20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
    10 pause reauthentication
    20 authorize
    30 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
    40 class MAB_FAILED do-until-failure
    10 terminate mab
    20 authentication-restart 60
    60 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 60
    event agent-found match-all
    10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x retries 2 retry-time 0 priority 10
    event inactivity-timeout match-all
    10 class always do-until-failure
    10 clear-session
    event authentication-success match-all
    10 class always do-until-failure
    10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
    event violation match-all
    10 class always do-until-failure
    10 restrict
    !

    Plus this here:
    service-policy type control subscriber POLICY_BASE

    And I'm wokring with a template assigned to interfaces:
    template PORT
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x timeout supp-timeout 5
    dot1x max-req 1
    dot1x max-reauth-req 1
    storm-control broadcast level 1.00
    storm-control multicast level 1.00
    storm-control action trap
    spanning-tree portfast
    spanning-tree bpduguard enable
    switchport mode access
    mab
    access-session control-direction in
    access-session closed
    access-session port-control auto
    authentication periodic
    authentication timer reauthenticate server
    service-policy type control subscriber POLICY_BASE
    !
    !

    And I think you also have to send over Clearpass Radius:IETF -> Session-Timeout -> XY Seconds together with the Vlan Assignment (Radius:IETF - Tunnel-Private-Group-Id). The Session timeout defines, when next Re-Authentication should happen.

    Best regards,
    Andy





  • 3.  RE: Cisco 9300 Switch (IBNS 2.0) Policy-map

    Posted Oct 04, 2022 03:17 AM
    Dear And.y,
    Could you please send us the configuration lines of :
    service-template CRITICAL_AUTH_VLAN_BASE
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
    service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
    class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
    class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
    class-map type control subscriber match-all DOT1X
    class-map type control subscriber match-all DOT1X_FAILED
    class-map type control subscriber match-all DOT1X_NO_RESP
    class-map type control subscriber match-all DOT1X_TIMEOUT
    class-map type control subscriber match-all MAB_FAILED