topic MAB authentication fails in Network Access Control

MAB authentication fails

lni1 — Thu, 24 Jan 2019 10:05:46 GMT

Dear Community,

We are doing a MAB POC as we speak to enhance our level of port security for exotic non-dot1x devices.

Our testdevice is a IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2).

When booting the device MAB authentication works 100% of time.

When doing a shut/no shut of the network port or removing/inserting the network cable, in most of the cases MAB authentication fails and there is no more mac address of the end device in the mac address table.

The only way to make things work again is a reboot of the device.

interface FastEthernet1/1
description ## Tel + PC dot1x mab ##
switchport access vlan 666
switchport mode access
switchport voice vlan 667
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

In attach you can find 2 debug files (debug mab all & debug authentication all)

Kind regards,

Lieven Stubbe

Belgian railways

Re: MAB authentication fails

Jason Kunst — Thu, 24 Jan 2019 12:13:57 GMT

This looks like a switching issue and nothing to do with ISE. Would recommend querying them as well

Re: MAB authentication fails

Sheraz.Salim — Thu, 24 Jan 2019 13:46:16 GMT

your config should be in this order

authentication event fail next-method

(optional-command authentication host-mode |single-host|multi-auth)
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

Re: MAB authentication fails

lni1 — Fri, 25 Jan 2019 08:05:03 GMT

Already tried to change the authentication order, also tried serveral other options as proposed by the community:

The problem is that when doing a shut/no shut or cable disconnect the switch loses the mac address of the end client and is unable to retrieve it again.

Debug authentication all:

Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link UP
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] No authorized client found in domain [DATA]
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Domain authorized client count: 0
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] No authorized client found in domain [DATA]
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Domain authorized client count: 0
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link UP
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link already UP - ignoring

Does end client devices need to meet certain requirements to be able to do MAB? (EAPOL,...). With our laptops/desktops we never experience this behaviour, it's only with more "exotic" devices our switches seem to lose the MAC address over time

Re: MAB authentication fails

Sheraz.Salim — Fri, 25 Jan 2019 08:58:44 GMT

Does end client devices need to meet certain requirements to be able to do MAB? (EAPOL,...)

why dont you run a packet capture and check if the EAPOL values from the both end.

Re: MAB authentication fails

lni1 — Fri, 25 Jan 2019 13:51:20 GMT

We ran a packet capture and saw that the device had a fix Ip

The moment we changed it to DHCP, MAB works.

When we reconnect the cable, a DHCP discover is send out, and the MAC is learned by the switch, which can be used for MAB procedure.

Re: MAB authentication fails

Sheraz.Salim — Fri, 25 Jan 2019 14:21:12 GMT

Interesting. so your issue is fixed?

do not forget to rate

Re: MAB authentication fails

ldanny — Sun, 27 Jan 2019 08:21:42 GMT

It sounds as if your hitting a bug on the switch side and this has nothing to do with ISE , especially if you modified your end point to DHCP and suddenly you have a mac entry in your mac table.

Re: MAB authentication fails

lni1 — Mon, 28 Jan 2019 10:20:23 GMT

We are running IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2), if we can't even trust preferred Cisco versions anymore?

Excerpt from the Cisco doc: "During the MAC address learning stage, the switch begins MAB by opening the port to accept a single packet from which it will learn the source MAC address of the endpoint"

So if we do DHCP we see a "DHCP discover" packet, when we do IP fix we see no packets at all, the switch need to have a certain packet from the end device to learn the MAC or are there other options?

Kind regards,

Lieven Stubbe

Belgian railways

Re: MAB authentication fails

x00008037 — Wed, 17 Jul 2019 03:06:17 GMT

HI This seems to be a common issue with MAB and "quiet" endpoints espically static endpoint's.. IE endpoints that dont send a lot of traffic hence no mac address on the swtich port hence no auth session.

We had this issues and we fixed it by running "authentication control auth direction in" on the swtich port..

This allow broadcast,arps etc into the switch port and hence prompting the endpoint to reply and send its source mac to the switch .