Security

Hi,

 

At this moment we are in a proof of concept phase for a NAC-deployment for which we use the clearpass, and cisco 2960 and cisco 9300.

On the 2960 all works as intented:

- known devices in the AD (and via certificates) are allowed

- not known devices are redirected and/or prompted with the redirect URL where they might regisiter themself on the onboarding page.

 

On th 9300 however, despite the fact that with a "show authentication session interface gX/X/X details" we get the same situation as with the 2960, the devices do not receive the redirect. Althought the switchport received this information from the Clearpass.

If we enter the URL by hand, it works as intented, but this is not userfrienly at all (certainly not because users should then enter their MAC-address by hand instead of automatic)

 

The config of the switch is in attach.

We're pretty sure of the setup of clearpass, because it works on the 2960.

 

Anybody an idea on how to resolve this issue?

So the URL redirect didn't work because there are some dependencies in the diff between IOS (C2960) & IOS-XE(C9300).

On the C2960 you'll need ip device-tracking (IPDT) before the redirect works. On the C9300 it's replaced by SISF device tracking.

Once SISF was implemented it worked as it should be.

mb815, would you be willing to share the MAB config you're using successfully on 9300's?  On our 9300's, the switch gets the redirect, but the client does not.  If the redirect is entered manually, then the process moves on.  

 

Here's our basic config:

aaa server radius dynamic-author
client X.X.X.X server-key 7 ---
port 3799
auth-type all
!
interface GigabitEthernetX/X/X
switchport mode access
switchport port-security maximum 50
switchport port-security violation restrict
switchport port-security
ip access-group ALLOW-ALL in
no logging event link-status
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
spanning-tree portfast
!
ip access-list extended ALLOW-ALL
permit ip any any
!
ip access-list extended REDIRECT
deny ip any host X.X.X.X
deny ip any host X.X.X.X
deny ip any host X.X.X.X
deny ip any host X.X.X.X
permit tcp any any eq www
permit tcp any any eq 443
!
!
radius-server attribute 8 include-in-access-req
!
radius server clear-pass-radius-1
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
key 7 ---
!
radius server clear-pass-radius-2
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
key 7 ---

 

Hi,

 

It sounds exacly like the problem I've encountered. If I recall correctly it was all about the ip device tracking policy. On new platforms it's called SIFS and this replaces IPDT.

Here below you can find our config on 9300's:

 

Global config:

device-tracking policy policy1
trusted-port
no protocol udp
tracking enable
vlan configuration 1-4094
device-tracking attach-policy policy1

dot1x system-auth-control

vlan 2
name Data_Vlan
vlan 500
name Voice_Vlan

ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none

ip radius source-interface Vlan1

ip access-list extended Onboard_ACL
deny udp any any eq bootpc
deny udp any any eq bootps
Remark CP
deny tcp any host a.b.c.d
deny tcp any host a.b.c.e
deny tcp any host a.b.c.f
deny udp any any eq domain
permit ip any any

radius server clearpass1
address ipv4 a.b.c.d auth-port 1645 acct-port 1646
key 7 xxxxxxxxx
!
radius server clearpass2
address ipv4 a.b.c.e auth-port 1645 acct-port 1646
key 7 xxxxxxxxxx

radius-server timeout 3

 

Portconfig:
interface xxxxxxx
switchport mode access
switchport voice vlan 500
no cdp enable
no snmp trap link-status
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication timer inactivity 3600
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast

AAA config:
aaa new-model
aaa group server radius clearpass
server name clearpass1
server name clearpass2
aaa authentication dot1x default group clearpass
aaa authorization network default group clearpass
aaa accounting dot1x default start-stop group clearpass

aaa server radius dynamic-author
client a.b.c.d
client a.b.c.e
server-key 7 xxxxxxx

aaa session-id common

Thank you so much!  We could not find an answer to this problem.

 

For others, we added that the following commands in addition to what I posted previously.  We did not add the device tracking policy.  

 

! Additional port config:

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication port-control auto

authentication timer inactivity 3600

dot1x pae authenticator

dot1x timeout tx-period 3

 

! New ip http settings:
ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http active-session-modules none

Hi Mate,
Could you please share your Cisco 2960 switch config if you don't mind. I am struggling in redirecting the user to a splash page. Every time i connect one device with Posture Unknown it the status become Unautorized.

Regards,
Varun

------------------------------
Varun Sharma
------------------------------

Original Message:
Sent: Sep 12, 2019 06:08 PM
From: Jon Clarke
Subject: Clearpass onboard URL redirect on cisco 9300

Thank you so much!  We could not find an answer to this problem.

 

For others, we added that the following commands in addition to what I posted previously.  We did not add the device tracking policy.  

 

! Additional port config:

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication port-control auto

authentication timer inactivity 3600

dot1x pae authenticator

dot1x timeout tx-period 3

 

! New ip http settings:
ip http server

ip http secure-server

ip http secure-active-session-modules none

ip http active-session-modules none

Michael, for your switches with the MAB configuration, do you have DHCP snooping in place?  We've observed some varying results with snooping enabled.

Thanks again.

Hi Jon,

 

No, we do not have dhcp snooping in place. What do you mean with varying  results? I did implement dhcp snooping in an non dot1x environment where it worked as intented..

 

 

In our initial testing it seemed like having our standard dhcp snooping config in place did not cause any problems.

After we rolled out the new config we got a report that redirect, etc. was not working for a specific user (the mab ports are not widely used so hard to know if others had attempted).

In testing on that switch I noticed dhcp snooping was enabled, but the post auth vlan not included.

When I added that vlan, the redirect worked but the client kept losing their IP (i.e. the client initially got a dhcp assigned IP, but it would then disappear; logging in had to happen when the IP was working).  

If I disabled dhcp snooping completely, then the mab process works as expected including redirect, and no problems with the client IP being stable.

I replicated this on other 9300's.  In general Cisco docs seem to assume snooping will be enabled, so not sure why it's causing a problem in these cases...  

 

------------------------------
Varun Sharma
------------------------------

Original Message:
Sent: May 14, 2019 02:55 AM
From: michael bekaert
Subject: Clearpass onboard URL redirect on cisco 9300

Hi,

 

At this moment we are in a proof of concept phase for a NAC-deployment for which we use the clearpass, and cisco 2960 and cisco 9300.

On the 2960 all works as intented:

- known devices in the AD (and via certificates) are allowed

- not known devices are redirected and/or prompted with the redirect URL where they might regisiter themself on the onboarding page.

 

On th 9300 however, despite the fact that with a "show authentication session interface gX/X/X details" we get the same situation as with the 2960, the devices do not receive the redirect. Althought the switchport received this information from the Clearpass.

If we enter the URL by hand, it works as intented, but this is not userfrienly at all (certainly not because users should then enter their MAC-address by hand instead of automatic)

 

The config of the switch is in attach.

We're pretty sure of the setup of clearpass, because it works on the 2960.

 

Anybody an idea on how to resolve this issue?