topic Yes, show auth sessions shows in Network Access Control

MAB not acquiring MAC for certain devices

Mon, 11 Mar 2019 07:54:30 GMT

I’m in the process of testing an 802.1X deployment, and using MAB for the devices that aren't compatible. I’ve found that with some devices (an AMX controller and a USB print server), the switch interfaces will just remain in the “mab_acquiring” state regardless of the traffic being transmitted by these devices, which I have captured and checked. Other identical devices work fine on other interfaces of the same switch with the same configuration. The problem also follows these devices if I move them to another interface. There are no ACLs on this switch.

The switch stack is made up of three WS-C3750X-48P running 15.0(2)SE with a lanbase license.

The interface MAB configuration is nothing special, and looks like this:

interface GigabitEthernet2/0/12
 switchport mode access
 authentication control-direction in
 authentication port-control auto
 mab
 spanning-tree portfast
end

Running debug mab all gives:

004378: Aug 2 10:45:11 GMT: mab-ev(Gi2/0/12): Received MAB context create from AuthMgr
004379: Aug 2 10:45:11 GMT: mab-ev(Gi2/0/12): Created MAB client context 0xEE000009
004380: Aug 2 10:45:11 GMT: mab : initial state mab_initialize has enter
004381: Aug 2 10:45:11 GMT: mab-sm(Gi2/0/12): Received event 'MAB_START' on handle 0xEE000009
004382: Aug 2 10:45:11 GMT: mab : during state mab_initialize, got event 4(mabStart)
004383: Aug 2 10:45:11 GMT: @@@ mab : mab_initialize -> mab_acquiring

And it then never progresses from this for the problem devices.

I'd be grateful for any suggestions,

Bryce

Do you also see something

agrissimanis — Thu, 03 Aug 2017 09:44:11 GMT

Do you also see something like this in "show auth sessions" for the affected devices?

Fa0/01     (unknown)       mab      UNKNOWN  Running        0A2C1FA30000297E399CF2E8

I usually see UNKNOWN and Running from "show auth sessions"output, together with "mab_initialize -> mab_acquiring" from the debug output, when the port is up, but there is no MAC address on the port. This could be due to device NIC issues, desktop PCs in standby mode, etc.

It is different if the endpoint is up and passing traffic, as in your case. I had few times when this problem also appears even if there is MAC address on the port. This was on 3560 switches running 12.2(55)SE8/9 and also 3750 running early 15.0.2SE versions. IOS upgrade seemed to fix the problem.

The recommended IOS versions for the recent ISE releases are generally 15.2(2)E and above. Would you be able to upgrade the IOS?

Yes, show auth sessions shows

Thu, 03 Aug 2017 14:17:12 GMT

Yes, show auth sessions shows this for the problem devices:

Gi2/0/12   (unknown)       mab      UNKNOWN  Running        0000000000002550092A6855

This in theory would indicate that there's no traffic, but at the same time if I mirror the ports, I can capture traffic coming from any of the problem devices, such as IP broadcasts every 5s from the AMX controller, and SMB host announcements from the USB print server every 60s.

I tried the two problem devices on a switch running 15.2(1)E1, which seemed to fix the issue with the USB print server, but not the AMX controller.

It does seem like it's an issue with IOS, and I'll need to see if I can upgrade to something slightly newer.

Thanks,

Bryce

Upgraded IOS to 15.2(4)E3

Wed, 09 Aug 2017 10:32:20 GMT

Upgraded IOS to 15.2(4)E3 last night, and it's fixed this and some other 802.1X weirdness I've been fighting with.