Security

I'm trying to setup ClearPass with my Cisco switches to do dot1x wired authentication.  I have a policy setup to push out a Quaratine VLAN and a dACL/URL Redirect.  The port on the Cisco switch will come up start going through authentication but I'll get "Authorization failed or unapplied for client".  If i do a show authentication session on the interface I'm trying with it shows "Status:  Authz Failed".  If I take out the url redirect the port comes up fine, but I'm using the url redirect for remediation so it's needed.  I've opened a TAC case with both Aruba and Cisco and both are scratching their heads.  I've followed every guide I could find from Aruba and Cisco on setting this up.  If anyone has suggestions or has run into this please let me know.  Thanks

do you have the ip http server and ip http secure-server entries on the switch?

Yes I have those commands on the switch.

What version of Cisco IOS are you running?

I've tried a few different versions and hardware platforms.  Currently I'm working on a 3560G with 15.0(2)SE5.  I started with 12.2(58)SE2

The only other thing aside from IOS version (versions seem to be very finiky) would be to check to see if you have a default port ACL on the port?

I have an ACL called "temp" created and applied.  The acl is  permit ip any any.

So what happens is a port comes online dot1x checks for a computer cert, it passes, then we are using onguard as well so it does a posture check which comes back unhealthy since the user has not logged in yet.  ClearPass assigns a Quaratine VLAN and pushes out the dACL and url redirect.  MAB does not come into play. 

It sounds as though ClearPass is sending the proper response but the switch is not interpreting it properly for whatever reason.    Can you share the output of the following:

- debug radius on the switch for that authenication connection.

- the specific port configuration

- show authentication sessions for that port/attempt

I've seen similiar behavior in the past, but in those cases it was IOS version compatiblities or missing http server or default ACL commands.

debug radiuson the switch for that authenication connection.

- Attached txt file - radius_debug.txt

- the specific port configuration

interface GigabitEthernet0/5
 switchport access vlan 19
 switchport mode access
 ip access-group temp in
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 10
 dot1x max-req 3
 dot1x max-reauth-req 10
 spanning-tree portfast

- show authentication sessions for that port/attempt

ord1-dc-NAC#sh authentication sessions int gi0/5
            Interface:  GigabitEthernet0/5
          MAC Address:  5c26.0a6c.9b3c
           IP Address:  10.145.10.150
            User-Name:  host/JGOULD-TEST.aspect.com
               Status:  Authz Failed
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  10800s (server), Remaining: 10758s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A9119080000014C1DA43B4F
      Acct Session ID:  0x0000016F
               Handle:  0xA000014D

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Adding as attachements as well.

Attachment(s)

sh_auth_sess.txt   864 B 1 version

Interface_config.txt   446 B 1 version

Radius_Debug.txt   17 KB 1 version

I see Cisco AVpair       [1]   92  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Remediation_Portal_Cisco_dACL_and_Redirect-3005-98" being returned.       What is in this dACL?

To update the thread; jgould56 and I worked on this.    By swapping the dACL with url-redirect-acl AVPair; referencing an ACL on the switch, the redirect functionality is working.

The Cisco DACL must also always have a source of "any". The switch will convert this to the client IP. I was having trouble with DACL and as soon as I changed my ACL (i had just applied an exisiting one from a VLAN interface) - everything worked. 

Hope this helps someone.