DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Tue, 30 Apr 2019 22:04:20 GMT

Hello everyone,

I'm in the process of testing ISE on a switch that is currently in production. I had a phone and laptop connected to a port and configured that port only for AAA. The rest of the switch is bootstrapped with all required AAA/RADIUS commands. However, I'm getting the following log messages:

.Apr 30 21:10:54.146: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:10:55.748: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.824: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:56.856: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:10:57.862: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:08.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:09.128: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:11.762: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.796: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:12.693: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.700: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.843: %AUTHMGR-5-START: Starting 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.876: %MAB-5-SUCCESS: Authentication successful for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.885: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:14.891: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:12:12.638: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.456: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
*Aug 19 11:24:19.481: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2.138.253:1812,1813 is not responding.
*Aug 19 11:24:19.490: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:35.781: %ILPOWER-5-IEEE_DISCONNECT: Interface Fa0/14: PD removed
*Aug 19 11:24:36.024: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
*Aug 19 11:24:37.022: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
*Aug 19 11:25:16.172: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2.138.252:1812,1813 is being marked alive.

Notice that it appears that the RADIUS server is marked dead when the phone and laptop connects to the port. When the clients are disconnected, the server is marked alive again. I know my ISE configuration and policies are correct because everything works perfect from a switch that runs IOS version 15. The switch generating the logs above is running 12.2(55)SE12. What's more is that the phone passes MAB authentication but the laptop behind it fails. I have confirmed that the aaa server state was up but soon went down when the port status change from down to up. When the client disconnects the server status changes back to up. Even more, when I check my ISE RADIUS logs, I see that both phone and PC MAC is hitting the correct policy for authc & authz but my tester couldn't pull our guest hotspot AUP page.

The port config in question is as follows (please note that I tried it with and without the event server dead commands but still no difference):

interface FastEthernet0/14
description *** Shortel Phones DHCP ***
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
storm-control broadcast level 20.00
storm-control action shutdown
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end

This is the same config commands I use on the 3560CX 8 port switch I use for testing. Could this be an IOS bug I'm running into?

Thanks,

Terence

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

hslai — Wed, 01 May 2019 00:26:36 GMT

ISE 2.6 NAD Compatibility > Validated Cisco Access Switches shows IOS 15.2(3)E is the minimal required for 3560-CX to work with ISE.

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Wed, 01 May 2019 01:46:17 GMT

Hello,

MAB works perfectly with my 3560CX. Its the 2960 that the logs I shared are coming from. It runs 12.2(55)SE12.

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Wed, 01 May 2019 02:05:28 GMT

Also, I'm running ISE 2.3 patch 6

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Wed, 01 May 2019 02:12:51 GMT

I did find this URL and see that there is limited support for Guest and no support for Guest Originating URL for minimum version 12.2(55)SE5.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html#13367

I'm assuming this limited support is why I'm running into this issue?

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Francesco Molino — Wed, 01 May 2019 14:45:28 GMT

Hi,

Can you share the config of your port and some screenshots of ISE configuration?

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Wed, 01 May 2019 15:21:17 GMT

My port config is in my original post. I'm out of the office today so I won't be able to get the ISE screen shots until tomorrow.

Again, the issue isn't ISE because I see success attempts and the correct AuthZ profile for the MAC the switch is showing failed AuthC messages. The issue has to be the 2960 switch. All works perfectly fine from my 3560CX with no changes to my ISE policies.

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

ldanny — Thu, 02 May 2019 07:13:19 GMT

Please open TAC case regarding your switch.

I will close this thread as it is not due to ISE.

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Terence Lockette — Thu, 02 May 2019 12:18:59 GMT

No TAC assistance needed. The IOS 12.2(55)SE image was indeed the cause of the issue. I upgraded the image to 15.0 for my 2960 PST-L and now it's authenticating both domains rather than just the voice domain.

topic Re: DATA Domain MAB Failure; VOICE Domain Succeeds in Network Access Control

DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds

Re: DATA Domain MAB Failure; VOICE Domain Succeeds