topic Re: Authentication method ISE 2.4 in Network Access Control

Authentication method ISE 2.4

BigK — Thu, 05 Sep 2019 16:52:17 GMT

Can someone please explain why the authentication details report shows the authentication method is mab, but the switch shows as dot1x ? The phone's Mac is part of the mab list but the PC is part of AD.

Re: Authentication method ISE 2.4

Mike.Cifelli — Thu, 05 Sep 2019 18:06:00 GMT

Can you share your interface configs? Can you also share the output of:
#show auth sess int g4/0/34 detail
My assumption is that you have configured something along these lines:
#authentication host-mode multi-auth
This lets you authenticate a client for voice vlan and several authenticated clients on data vlan.
OR
#authentication host-mode multi-domain
This lets you authenticate a host and voice device on an 8021x authenticated port.
Have you attempted to clear auth, then check the ISE live logs again to see if that has changed? Very strange.

Re: Authentication method ISE 2.4

BigK — Thu, 05 Sep 2019 19:34:16 GMT

Thanks for the quick reply, Mike.

Here is the output of show auth
#show auth sess int g4/0/34 detail
Interface: GigabitEthernet4/0/34
IIF-ID: 0x469B67B0
MAC Address: a44c.c86e.5226
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: domain\user
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A166419000007A301B881B3
Acct Session ID: 0x000007d6
Handle: 0x72000799
Current Policy: POLICY_Gi4/0/34

Server Policies:
Security Policy: None
Security Status: Link Unsecured

Method status list:
Method State
mab Stopped
dot1x Authc Success

----------------------------------------

Interface: GigabitEthernet4/0/34
IIF-ID: 0x4B18BE9A
MAC Address: c4b9.cdb5.4b1c
IPv6 Address: Unknown
IPv4 Address: x.x.x.x
User-Name: C4-B9-CD-B5-4B-1C
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 000000000000008943C9F979
Acct Session ID: 0x00000022
Handle: 0xc700007f
Current Policy: POLICY_Gi4/0/34

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State
mab Authc Success

Re: Authentication method ISE 2.4

Mike.Cifelli — Fri, 06 Sep 2019 13:26:49 GMT

For the data host what supplicant are you using? What type of EAP protocol are you using for 8021x? What was your result of running clear auth sess int g4/0/34? Do the ISE logs still report same weirdness?

Re: Authentication method ISE 2.4

Colby LeMaire — Fri, 06 Sep 2019 13:46:02 GMT

The only thing that would make sense is that it is authenticating with MAB first and then 802.1x is kicking in and authenticating that way. ISE Radius Live Logs probably shows both authentications as succeeded. Check the Live Logs and filter on the Endpoint ID (MAC Address). This would happen if your interface configuration is setup to do MAB first with the command "authentication order mab dot1x". And then you probably have "authentication priority dot1x mab" which means that it will do MAB but if an EAPOL frame is seen from the client, the switch will stop MAB immediately and start the dot1x process.

If you are doing IBNS 2.0, then the configuration is probably trying both MAB and 802.1x at the same time. Again, verify your ISE Live Logs to see if there are multiple entries for the same MAC address (Endpoint ID).

Re: Authentication method ISE 2.4

kthiruve — Mon, 09 Sep 2019 20:29:49 GMT

Thank you both Mike and Colby. Nice suggestions.

-Krishnan