topic ISE mab authentication with Avaya/Nortel switches in Network Access Control

ISE mab authentication with Avaya/Nortel switches

Glnc66inc — Mon, 11 Mar 2019 02:27:10 GMT

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.

When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.

Could this be an issues with the username/password format in the Radius packet from the Cisco?

Thanks in advance for any assistance.

-Kurt

ISE mab authentication with Avaya/Nortel switches

Tarik Admani — Wed, 22 Aug 2012 20:17:56 GMT

Kurt,

On your probe configuration do you have the radius probe configured? If so, one way to take a look at the radus packet and to decrypt the password will be to compare the two transactions.

You can take a capture by using the tcpdump tool under the Operations > Diagnostic tools > General Tools > TCPDump.

You can enter the filter "ip host " after setting the option for raw packet data, once you are able to test with the Cisco switch, then stop the capture, download and do it again using the avaya switch.

You can then open the packet capture using wireshark, and in the preferences tab you can select the radius protocol and set the shared secret which will decrypt the password to see what it is, you can also do a comparison as to how the packet is being sent from to the other.

thanks,

Tarik Admani
*Please rate helpful posts*

ISE mab authentication with Avaya/Nortel switches

Glnc66inc — Thu, 28 Feb 2013 20:32:14 GMT

The problem is with the ISE platform. As it turns out, Cisco is not using the correct radius attribute (as stated in the radius RFC).They are using a cisco attribute that other vendors are not using.

This bug will be fixed in the 2.x release this spring.

ISE mab authentication with Avaya/Nortel switches

nspasov — Fri, 01 Mar 2013 16:51:17 GMT

Kurt, do you have a bug ID for this? It will be nice to have this reference

ISE mab authentication with Avaya/Nortel switches

Glnc66inc — Fri, 01 Mar 2013 18:59:17 GMT

As requested...

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet

chBugDetails&bugId=CSCuc22732

MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.

The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

ISE mab authentication with Avaya/Nortel switches

nspasov — Fri, 08 Mar 2013 02:28:11 GMT

Thank you for sharing that Kurt (+5) from me. Also, if your issue is resolved please mark the thread as close.