MAB Issue: Auth Session Immediately Fails MAB Method

CDavidson21 — Fri, 14 Jun 2019 21:07:47 GMT

Hi everyone,

I'm trying to configure MAB on an access port. The device is a kiosk of sorts, so I have no interest in dot1x, only the MAB component. I believe I have everything configured, but when I show authentication session interface g1/0/22 it immediately says the MAB method has failed, and then attempts dot1x.

LD200LDPSSW1(config-if)#shut
LD200LDPSSW1(config-if)#no shut
LD200LDPSSW1(config-if)#do show auth sess int g1/0/22
            Interface:  GigabitEthernet1/0/22
          MAC Address:  4439.c435.1eaa
           IP Address:  Unknown
            User-Name:  4439c4351eaa
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01C8330000000D31CCD3AE
      Acct Session ID:  0x00000D82
               Handle:  0x5E00000D

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Running

My radius server shows no traffic from this switch, so I'm guessing the issue is with my config somewhere.

Current configuration : 12372 bytes
!
! Last configuration change at 07:24:24 PDT Fri May 24 2019 by 053166
! NVRAM config last updated at 07:24:25 PDT Fri May 24 2019 by 053166
!
version 12.2
no service pad
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 200SW1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxxxxxx
!
username abc secret 5 xxxxxxxxxxx
!
!
aaa new-model
!
!
aaa authentication fail-message ^Failed login. Try again.^
aaa authentication login Use-Radius group radius local
aaa authentication dot1x Use-Radius group radius
aaa authorization network Use-Radius group radius
aaa accounting update newinfo
aaa accounting dot1x Use-Radius start-stop group radius
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
ip subnet-zero
!
!

dot1x system-auth-control
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
! <OMITTED>
!
!
interface GigabitEthernet1/0/22
 description PUBLIC
 switchport access vlan 51
 switchport mode access
 switchport voice vlan 95
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 51
 authentication event server alive action reinitialize
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
!
! <OMITTED>
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format unformatted
radius-server dead-criteria time 10 tries 3
radius-server host 172.20.201.47 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!
line con 0
 login authentication Use-Radius
line vty 0 4
 access-class VTY-IN in
 login authentication Use-Radius
line vty 5 15
 access-class VTY-IN in
 login authentication Use-Radius
!
end

Any help would be greatly appreciated!

Re: MAB Issue: Auth Session Immediately Fails MAB Method

Francesco Molino — Sun, 16 Jun 2019 04:11:14 GMT

Hi

Why didn't you use the default list for aaa commands for dot1x and network?
Normally it should work but try modifying them with the default list.

Also can you run the following commands and share the output:
- sh mab all
- debug authentication
- debug mab all

Re: MAB Issue: Auth Session Immediately Fails MAB Method

ldanny — Sun, 16 Jun 2019 12:32:54 GMT

I do not see the following command "aaa server radius dynamic-author"

And If you dont need dot1x for specific ports then remove the flexible authentication.

Re: MAB Issue: Auth Session Immediately Fails MAB Method

Jason Kunst — Mon, 17 Jun 2019 19:14:38 GMT

Please look at the recommendations here as well. It includes a standard config

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: MAB Issue: Auth Session Immediately Fails MAB Method

CDavidson21 — Mon, 17 Jun 2019 18:33:06 GMT

Sorry, I don't understand what you mean by "the default list for aaa commands for dot1x and network"?

Is there a standardized config that I'm unaware of?

topic Re: MAB Issue: Auth Session Immediately Fails MAB Method in Network Access Control

MAB Issue: Auth Session Immediately Fails MAB Method

Re: MAB Issue: Auth Session Immediately Fails MAB Method

Re: MAB Issue: Auth Session Immediately Fails MAB Method

Re: MAB Issue: Auth Session Immediately Fails MAB Method

Re: MAB Issue: Auth Session Immediately Fails MAB Method