topic ESW 520 802.1x MAB authentication problem in Network Access Control https://community.cisco.com/t5/network-access-control/esw-520-802-1x-mab-authentication-problem/m-p/1988485#M180536 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Hello,</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The Authentication method on ESW is 802.1x &amp; MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Radius authentication failed for USER: aa1effbb8fd4&nbsp; MAC: aa-1E-FF-bb-8F-D4&nbsp; AUTHTYPE:&nbsp; Radius authentication failed</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P id="AUTOGENBOOKMARK_11" style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">RADIUS Status:Authentication failed&nbsp;&nbsp;&nbsp; : <A href="https://172.16.4.225/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=11509+Access+Service+does+not+allow+any+EAP+protocols&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681; text-decoration: none;" target="_self">11509 Access Service does not allow any EAP protocols</A></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">------</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">15004&nbsp; Matched rule</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">15012&nbsp; Selected Access Service - MAB</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11507&nbsp; Extracted EAP-Response/Identity</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11509&nbsp; Access Service does not allow any EAP protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11504&nbsp; Prepared EAP-Failure</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11003&nbsp; Returned RADIUS Access-Reject</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">For that Access Service I have configured only Host Lookup.</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The same ACS configuration is working perfectly on Catalyst 3560G switche.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; margin: 0in 0in 0.0001pt; font-family: Arial, verdana, sans-serif;">It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Do you have any idea what can be the problem.</P> Mon, 11 Mar 2019 02:21:13 GMT ngtransge 2019-03-11T02:21:13Z ESW 520 802.1x MAB authentication problem https://community.cisco.com/t5/network-access-control/esw-520-802-1x-mab-authentication-problem/m-p/1988485#M180536 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Hello,</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The Authentication method on ESW is 802.1x &amp; MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Radius authentication failed for USER: aa1effbb8fd4&nbsp; MAC: aa-1E-FF-bb-8F-D4&nbsp; AUTHTYPE:&nbsp; Radius authentication failed</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">!</P><P id="AUTOGENBOOKMARK_11" style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">RADIUS Status:Authentication failed&nbsp;&nbsp;&nbsp; : <A href="https://172.16.4.225/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=11509+Access+Service+does+not+allow+any+EAP+protocols&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681; text-decoration: none;" target="_self">11509 Access Service does not allow any EAP protocols</A></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">------</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">15004&nbsp; Matched rule</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">15012&nbsp; Selected Access Service - MAB</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11507&nbsp; Extracted EAP-Response/Identity</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11509&nbsp; Access Service does not allow any EAP protocols</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11504&nbsp; Prepared EAP-Failure</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">11003&nbsp; Returned RADIUS Access-Reject</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">For that Access Service I have configured only Host Lookup.</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The same ACS configuration is working perfectly on Catalyst 3560G switche.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; margin: 0in 0in 0.0001pt; font-family: Arial, verdana, sans-serif;">It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Do you have any idea what can be the problem.</P> Mon, 11 Mar 2019 02:21:13 GMT https://community.cisco.com/t5/network-access-control/esw-520-802-1x-mab-authentication-problem/m-p/1988485#M180536 ngtransge 2019-03-11T02:21:13Z ESW 520 802.1x MAB authentication problem https://community.cisco.com/t5/network-access-control/esw-520-802-1x-mab-authentication-problem/m-p/1988486#M180538 <HTML><HEAD></HEAD><BODY><P>Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?</P><P></P><P>Also can you post the port configuration and the show ver of the ESW?</P><P></P><P>Thanks,</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sat, 28 Jul 2012 21:07:39 GMT https://community.cisco.com/t5/network-access-control/esw-520-802-1x-mab-authentication-problem/m-p/1988486#M180538 Tarik Admani 2012-07-28T21:07:39Z