https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936670#M37942 <P>Hello,</P> <P></P> <P>I am working on site now and I faced aproblem with mac authentication bypass,,</P> <P></P> <P>I work on ISE&nbsp;SNS-3415-K9, with version&nbsp;2.0.0.306, in deployment mode Active/standby,&nbsp;</P> <P>The ISE make the profiling through snmp messages and DHCP.</P> <P></P> <P>in the most of switches the MAB work properly,</P> <P>but unfortunately I faced an issue in some switches.</P> <P><STRONG>&gt;&gt; the ISE can't discover the mac of some endpoint, then the MAB fail, even I enter the MAC address of the endpoint manually, the MAB failed.</STRONG></P> <P><STRONG></STRONG></P> <P><STRONG></STRONG>kindly check the following configuration on switch</P> <P></P> <P></P> <P></P> <P></P> <P>ip http server<BR />ip http secure-server</P> <P>ip device tracking</P> <P>epm logging<BR />logging origin-id ip</P> <P>dot1x system-auth-control</P> <P><BR />aaa authentication dot1x default group radius<BR />aaa authorization network default group radius<BR />aaa authorization auth-proxy default group radius<BR />aaa accounting dot1x default start-stop group radius<BR />aaa accounting update periodic 5<BR />!<BR />aaa accounting update periodic 5<BR />aaa accounting system default start-stop group radius<BR />!<BR />aaa server radius dynamic-author <BR />client 10.255.255.13 server-key P@ssw0rd<BR />client 10.255.255.14 server-key P@ssw0rd</P> <P><BR />radius-server attribute 6 on-for-login-auth<BR />no radius-server attribute 8 include-in-access-req<BR />no radius-server attribute 25 access-request include<BR />no radius-server dead-criteria time 120 tries 10</P> <P></P> <P>no radius-server key 0&nbsp;P@ssw0rd<BR />no radius-server host 10.255.255.13 auth-port 1812 acct-port 1813<BR />no radius-server host 10.255.255.14 auth-port 1812 acct-port 1813<BR />no radius-server host 10.255.255.13 test username ise_probe idle-time 30<BR />no radius-server host 10.255.255.14 test username ise_probe idle-time 30</P> <P>no radius-server vsa send accounting<BR />no radius-server vsa send authentication</P> <P>no ip radius source-interface vlan300</P> <P>no dot1x system-auth-control</P> <P>no logging host 10.255.255.13 transport udp port 20514<BR />logging host 10.255.255.14 transport udp port 20514</P> <P>snmp-server host 10.255.255.14 version 2c&nbsp;P@ssw0rd<BR />snmp-server host 10.255.255.13 version 2c&nbsp;P@ssw0rd</P> <P><BR /><BR /></P> <P>interface GigabitEthernet0/2</P> <P></P> <P>switchport<BR /> switchport mode access<BR /> authentication host-mode multi-host<BR /> authentication order mab<BR /> authentication priority mab<BR /> authentication port-control auto<BR /> authentication periodic<BR /> authentication timer reauthenticate server<BR /> mab<BR />end</P> <P></P> <P></P> <P></P> <P>&gt;&gt; Also, when I open the radius log file, a failed authentication message appear even I insert the MAC manually.</P> <P><EM><STRONG>Please note the ise probe in the username field</STRONG></EM>&nbsp;</P> <P></P> <P><STRONG><EM></EM></STRONG>Kindly check the attached screenshots</P> Mon, 11 Mar 2019 07:09:01 GMT amrelquasaby 2019-03-11T07:09:01Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936670#M37942 ISE MAB failure cause of missing of MAC Mon, 11 Mar 2019 07:09:01 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936670#M37942 amrelquasaby 2019-03-11T07:09:01Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936671#M37945 <P>where does all those "no" statements come from?????</P> <P>no radius-server attribute 8 include-in-access-req<BR />no radius-server attribute 25 access-request include<BR />no radius-server dead-criteria time 120 tries 10</P> <P>no radius-server key 0&nbsp;P@ssw0rd<BR />no radius-server host 10.255.255.13 auth-port 1812 acct-port 1813<BR />no radius-server host 10.255.255.14 auth-port 1812 acct-port 1813<BR />no radius-server host 10.255.255.13 test username ise_probe idle-time 30<BR />no radius-server host 10.255.255.14 test username ise_probe idle-time 30</P> <P>no radius-server vsa send accounting<BR />no radius-server vsa send authentication</P> <P>no ip radius source-interface vlan300</P> <P>no dot1x system-auth-control</P> <P></P> <P></P> <P></P> Fri, 14 Oct 2016 07:39:11 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936671#M37945 pieterh 2016-10-14T07:39:11Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936672#M37951 <P>@pieterh</P> <P>The No before commands is putted by accident.</P> Fri, 14 Oct 2016 16:25:33 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936672#M37951 Ahmed 2016-10-14T16:25:33Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936673#M37957 <P>Hello Amr,</P> <P>it seems the identity source sequence which ISE match on it NOT include Internal Endpoints, please double check the <SPAN>identity source sequence which you used for Authenticating users including Internal&nbsp;Endpoints.</SPAN></P> Fri, 14 Oct 2016 16:27:48 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936673#M37957 Ahmed 2016-10-14T16:27:48Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936674#M37959 <P>Ahmed,</P> <P></P> <P>Kindly be informed that the authentication policy check for Internal Endpoints only, although the logs file check for&nbsp;<SPAN>All_User_ID_Stores, that is not found in the policy.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Sun, 16 Oct 2016 12:34:28 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936674#M37959 amrelquasaby 2016-10-16T12:34:28Z https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936675#M37969 <P>Ok, that's clear</P> <P></P> <P>back to the real issue.</P> <P>your MAC-address is not recognized as MAC address</P> <P>that's why the MAB rule is not activated, but the default rule</P> <P>and the default rule checks all users identity stores, not the internal endpoints.</P> <P></P> <P>I'm missing some lines in&nbsp;the switch config:</P> <P>&nbsp;&nbsp;&nbsp;&nbsp; radius-server attribute 31 mac format ietf</P> <P>transforms the xxxx.xxxx.xxxx mac adrress to xx-xx-xx-xx-xx-xx format in the radius packet sent from switch to ISE</P> <P>maybe this helps</P> <P></P> <H2 class="topictitle2">radius-server attribute 31 mac format</H2> <SECTION> <SECTION class="section"><A name="wp3633954949__GUID-0D673E25-F5B5-4100-B9AF-375EDCD693D1"></A><!-- --> <P>To configure a nondefault MAC address format in the calling line ID (CLID) of a DHCP accounting packet, use the <SPAN class="synph"><SPAN class="kwd">radius-server</SPAN> <SPAN class="kwd">attribute</SPAN> <SPAN class="kwd">31</SPAN> <SPAN class="kwd">mac</SPAN> <SPAN class="kwd">format</SPAN></SPAN> command in global configuration mode. To revert to the default MAC address format, use the <SPAN class="synph"><SPAN class="kwd">no</SPAN></SPAN> form of this command.</P> </SECTION> <SECTION class="section"><A name="wp3633954949__GUID-E036BD65-B00F-432D-9C60-30AC2C7C1FE8"></A><!-- --> <SECTION> <P><B>radius-server</B><!--null--> <B>attribute</B><!--null--> <B>31</B><!--null--> <B>mac</B><!--null--> <B>format</B><!--null--> { <B>default </B> | <B>ietf</B><!--null--> [ <B>lower-case </B><B> | upper-case</B> ] <!--null--> <B> | unformatted</B> }</P> <P><B>no</B><!--null--> <B>radius-server</B><!--null--> <B>attribute</B><!--null--> <B>31</B><!--null--> <B>mac</B><!--null--> <B>format</B><!--null--> { <B>default </B> | <B>ietf</B><!--null--> [ <B>lower-case </B><B> | upper-case</B> ] <!--null--> <B> | unformatted</B> }</P> </SECTION> </SECTION> <SECTION class="section"><A name="wp3633954949__GUID-ACC3F63F-8E60-494B-A7F8-1C5D5D7B3F20"></A><!-- --> <H2 class="sectiontitle">Syntax Description</H2> <SECTION class="tablenoborder"><A name="wp3633954949__GUID-478FDC1E-A189-4215-AFA9-F20E3E9367B5"></A><!-- --> <TABLE width="90%" bordercolor="#808080" border="1" rules="all" frame="border" cellspacing="0" cellpadding="3" summary=""> <TBODY> <TR> <TD class="cellrowborder" valign="top"> <P><SPAN class="synph"><SPAN class="kwd">default</SPAN></SPAN></P> </TD> <TD class="cellrowborder" valign="top"> <P>Sets the MAC address format to the default format (for example, aaaa.bbbb.cccc).</P> </TD> </TR> <TR> <TD class="cellrowborder" valign="top"> <P><SPAN class="synph"><SPAN class="kwd">ietf</SPAN></SPAN></P> </TD> <TD class="cellrowborder" valign="top"> <P>Sets the IETF format for MAC addresses (for example, aa-aa-bb-bb-cc-cc).</P> </TD> </TR> </TBODY> </TABLE> </SECTION> </SECTION> </SECTION> Mon, 17 Oct 2016 14:53:18 GMT https://community.cisco.com/t5/network-access-control/ise-mab-issue/m-p/2936675#M37969 pieterh 2016-10-17T14:53:18Z