topic Re: MAB not working in Network Access Control

MAB not working

Stefan E. — Fri, 15 Jan 2021 16:58:52 GMT

Hello,

we are using 802.1x to authenticate our Clients.

As a fallback and for foreign devices we are using MAB.

Now we often met the issue, that also MAB is not working.

The authentication session does not start at all and there is no MAC Address visible.

As soon as we disable the authentication, the device can be connected succesfully, MAC is visible etc.

We met this issue with different Devices (e.g. Raspberry Pi, Printer) and on different Plattforms (e.g. 4506E, C9300).

Does anbody else facing such issues and may can provide a solution?

Thanks and est regards

Stefan

Re: MAB not working

Mike.Cifelli — Fri, 15 Jan 2021 17:09:51 GMT

Please provide further information so the forum can better assist. Information including switch config (interface/mab/dot1x/aaa configs). Have you ran any debugs to further tshoot that you can share? Can you share any detail radius live logs from mab failures?

Re: MAB not working

MHM Cisco World — Fri, 15 Jan 2021 20:32:04 GMT

Depend on,

priority and order,

share config if you can

Re: MAB not working

Stefan E. — Fri, 15 Jan 2021 21:48:41 GMT

Hi,

of course i can share some more details:

Here the interface config:

interface GigabitEthernet3/37
 description [...]
 switchport access vlan 116
 switchport mode access
 switchport voice vlan 70
 authentication event fail action next-method
 authentication event server dead action authorize vlan 116
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 2
 dot1x max-req 4
 spanning-tree portfast
 ip dhcp snooping limit rate 50
end

In general, the authentication is working, as you can see here (other Ports on the same switch working fine with MAB and 802.1x):

Switch#sh authentication sessions interface Interface MAC Address Method Domain Status Fg Session ID Gi2/37 e4e7.-------- dot1x DATA Auth 8D82[....]F4 Gi3/38 48ba.-------- mab DATA Auth 8D82[....]B4 Gi3/38 dca6.-------- mab DATA Auth 8D82[....]8C Gi3/11 f430.-------- dot1x DATA Auth 8D82[....]64 Gi3/9 80e8.-------- dot1x DATA Auth 8D82[....]48 Gi3/8 c434.-------- dot1x DATA Auth 8D82[....]60 Gi3/38 309c.-------- mab DATA Auth 8D82[....]E4 Gi3/38 0080.-------- mab DATA Auth 8D82[....]A8 Gi2/29 901b.-------- mab DATA Auth 8D82[....]4C Gi2/11 5838.-------- mab DATA Auth 8D82[....]D8 Gi3/14 0008.-------- dot1x DATA Auth 8D82[....]04 Gi3/13 1062.-------- dot1x DATA Auth 8D82[....]18 Session count = 12 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker

But if i enable authentication of the port shown at the beginning of this post, nothing happens:

Switch#sh mac address-table interface Gi3/37
No entries present.

Switch#sh authentication sessions interface Gi3/37
No sessions match supplied criteria.

Runnable methods list:
  Handle  Priority  Name
    17       5      dot1x
    18       10     mab
    20       15     webauth

Same situation after waiting some minutes, some shut and no shuts and reload of the connected device.

As soon as i remove the authentication:

Switch#sh mac address-table interface GigabitEthernet3/37
Unicast Entries
 vlan     mac address     type        protocols               port
---------+---------------+--------+---------------------+-------------------------
 116      dca6.----------   dynamic ip                    GigabitEthernet3/37

It seems there is not received packet when authentication is enabled, and therefore the authentication will not start.

So i can't provide any logging from Cisco ISE.

But it makes no sense, because without authentication everything is fine.

Any ideas or more informations needed?

Best regards

Stefan

Re: MAB not working

Panos Bouras — Tue, 26 Jan 2021 17:14:56 GMT

Hi @Stefan E.

I have seen some devices being very "quiet" when they connect to the network, especially older printers using external print servers. This means that the device will not send any packets out so no dot1x will be triggered. I had similar issues and the device would not send any packets for more than 5 minutes.

What might help you is put the following command under the specific interface and test to ping the specific device "authentication control-direction in" and try to ping the device from another node. Also try to shut and no shut the interface after you apply authentication commands.

If you have the ability to perform a packet capture via a SPAN port while you have applied the authentication commands and have it running as to see any packets send to from the device.

Re: MAB not working

MHM Cisco World — Thu, 28 Jan 2021 03:33:03 GMT

Re: MAB not working

MHM Cisco World — Wed, 27 Jan 2021 19:01:22 GMT

I Now deep investigate this issue just give me some time.
OK friend

Re: MAB not working

Stefan E. — Tue, 26 Jan 2021 21:27:34 GMT

Hi Panos,

thanks for your feedback and your tipps.

Was not aware of the mentioned command, will definitly try it.

But it's confusing, as i see the mac address right after removing the authentication.

Doesn't that mean, that the device is sending packets?

And also we met this issue even after the reload of the device (e.g. a printer) without success. I'm assuming that there should be traffic during the boot process in any case.

Best Regards

Stefan

Re: MAB not working

Stefan E. — Tue, 26 Jan 2021 21:30:28 GMT

Hello,

thanks for your feedback.

I can try this aswell, but if there would be any authentication starting, i should see it in the logging or with "sh authen session interface" command. But that's not the case. So why it should start the mab when he is not trying via 802.1x?

Best regards

Stefan

Re: MAB not working

Panos Bouras — Wed, 27 Jan 2021 12:52:48 GMT

Hi Stefan,

If you have tried reloading the device then, assuming that it has a static IP, either the device is not initiating out any packets or there's something wrong with the switch (bug?) or a probe that the switch sends causes the device to fall back?

I'm not sure if the switch will initiate any probes out of the port when it will only see the line going up without first receiving any packets from the endpoint.

A theory in why you see the mac address when you remove the authentication is that then the port has no restrictions and the device could receive packets and reply (e.g. an ARP request). This is why I proposed to use the control direction in, as to allow the device to receive packets and try to respond, allowing the switch to populate the MAC from the endpoint reply.

I would setup a packet capture for both scenarios and repeat the exact same steps in order to try to understand what's going on.

Then maybe try a different switch in terms platform and version.

Re: MAB not working

MHM Cisco World — Wed, 27 Jan 2021 21:33:00 GMT

I figure out the issue here,
auth timer reauth server.
Here what happened, " I take Printer as example"
1- SW send identity request, printer not response to this request since it not support 802.1x
2- SW start learn MAC address and first frame send from printer is the dhcp request,
3- SW send this mac to radius to auth and the radius reply with success BUT
also with reauth time.
4- SW start send receive from this port since the AuthC is success
5- Printer now get ip from dhcp
6- SW reauth time is end and SW start new 802.1x and remove mac from port
and it failed "as mention before printer not support 802.1x" it start MAB
BUT BUT here
SW start learn MAC but the printer not send dhcp because it already have ip and also it quite device i.e. it receive the order it not send frame
SW wait wait,
no mac learn on this port and hence nothing happened.

we can approve that this is issue here with
with the port that not learn mac we will force the printer to reassign new IP from dhcp.

please can you check this point.
Note:- please do that without the shutdown the printer, shutdown the printer make the SW reauth automatically and we can not config that this is issue here.

solution:-
there is inactivity timer we can config it under each interface that we connect quite device, this make SW in case of inactivity only re learn the mac and start new MAB process.

Re: MAB not working

Arne Bier — Thu, 28 Jan 2021 06:00:04 GMT

Hi @MHM Cisco World - nice analysis - do you happen to have that command for the inactivity timer?

Re: MAB not working

MHM Cisco World — Thu, 28 Jan 2021 13:52:00 GMT

thanks a lot,

the command is

authentication timer inactivity {seconds | server}

Re: MAB not working

Stefan E. — Thu, 04 Feb 2021 20:56:54 GMT

Hi MHM Cisco World,

wow. Thanks for your great analysis.

I'm not sure if this definitly will be the reson, but will keep in mind and check.

Till now we met this issue on different plattforms (C9300, 2960x C4506-E) and different types of devices (e.g. a Raspberry PI and a Audiocodes Phone). The "control-direction in" did not solve the issue.

Even when we had this configured, the Ping was not working and there was no MAC and no authentication visible.

Due to the actual Corona Homeoffice Situation i can't do a test with SPAN Port and Paket capture at the moment.
Will try this, as soon the situation has changed.

Thanks for your feedback.
I definitly appreciate all ideas on that topic.

Re: MAB not working

tcatanho — Wed, 23 Mar 2022 15:39:42 GMT

Hello,

This is subject is very important to me because I am also having this issue.

Most of the endpoints authenticate correctly with mab (these endpoints include computers, printers, RTUs, etc).

But in some cases, when connecting some Wave Quality Measure and a Deep Sea Electronics Generator, the behaviour of the CE is exactly the same as described by @Stefan E.

This is a real example of an interface config:

interface FastEthernet0/7
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
spanning-tree portfast edge
end

when I have this configured, doesn't arrive any packets in the interface. If I remove this configuration and do a simple access vlan config, communication starts working.

I can't understand why this is happening and I have tried all the solutions proposed by @MHM Cisco World, without success.

Thank you and best regards.

Re: MAB not working

Arne Bier — Wed, 23 Mar 2022 22:36:18 GMT

Hi @tcatanho

What IOS / IOS-XE are you using?

I have been working with C9300 IOS-XE 17.6.2 recently and I have found a very nice config that works for me

I would say all the commands below make for a happy solution.

If you have endpoints that don't send any Ethernet packets, then MAB will not be triggered. The end device needs to send *something* to cause MAB to start. And if you want the device to stay connected, then do not return a session timeout via ISE - the switch will apply a session timeout value of N/A - but the Accounting will be sent every 48 hours to keep ISE session DB and License DB happy.

After applying the config to an interface, you sometimes have to "shut/no shut", or perform a "clear access-session int ..." to kick start the process. If the endpoint is still not creating a session (as seen in "show access-session int ..." then the client is the problem. In that case use static VLANs instead - and port security.

aaa new-model
!
!
aaa group server radius ISE
 server name nac1
 server name nac2
 deadtime 5
 retransmit 2
 timeout 5
 load-balance method least-outstanding
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
!
!
aaa session-id common
!
!
ip dhcp snooping vlan *** comma delimited list of VLANs to Snoop on *****
no ip dhcp snooping information option
ip dhcp snooping
!
!
!
epm logging
access-session attributes filter-list list FILTER_DS
 cdp
 lldp
 dhcp
access-session accounting attributes filter-spec include list FILTER_DS
device-tracking policy IPDT_POLICY
 security-level glean
 no protocol ndp
 no protocol udp
 tracking enable reachable-lifetime 10
!
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template CRITICAL_VOICE_VLAN
 description ** Apply voice vlan on AAA Fail **
 voice vlan
service-template CRITICAL_AUTH_VLAN
 description ** Apply data vlan on AAA Fail **
 vlan ***critical_VLAN****
service-template RESTRICTED_AUTH_VLAN
 description ** Apply RESTRICTED vlan on AAA Fail **
 vlan **** restricted_VLAN****
service-template IA-TIMER
 description ** Apply inactivity timer and ARP probe **
 inactivity-timer 60 probe
dot1x system-auth-control
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match result-type aaa-timeout
 match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
 match result-type aaa-timeout
 match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
 match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
 match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
 match method dot1x
 match result-type method dot1x method-timeout
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
 match activated-service-template RESTRICTED_AUTH_VLAN
 match activated-service-template CRITICAL_VOICE_VLAN
!
class-map type control subscriber match-all MAB
 match method mab
!
class-map type control subscriber match-all MAB_FAILED
 match method mab
 match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
 match activated-service-template RESTRICTED_AUTH_VLAN
 match activated-service-template CRITICAL_VOICE_VLAN
!
!
policy-map type control subscriber IDENTITY-POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template RESTRICTED_AUTH_VLAN
   20 activate service-template CRITICAL_VOICE_VLAN
   30 authorize
   40 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  50 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 activate service-template RESTRICTED_AUTH_VLAN
   30 authorize
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template IA-TIMER
!
!
template 802.1X
 dot1x pae authenticator
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan ****restricted_VLAN****
 switchport mode access
 switchport nonegotiate
 trust device cisco-phone
 mab
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber IDENTITY-POLICY
 description UserAccess 802.1X
 ip dhcp snooping limit rate 15
!

interface GigabitEthernet1/0/12
 description NAC Controlled Port
 switchport mode access
 switchport voice vlan ***voice_VLAN***
 device-tracking attach-policy IPDT_POLICY
 load-interval 30
 dot1x timeout tx-period 10
 no lldp transmit
 no lldp receive
 source template 802.1X
 spanning-tree portfast
!
ip radius source-interface ****vlan/interface****
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 2
radius-server deadtime 5
!
radius server nac1
 address ipv4 ***ISE1_IP*** auth-port 1812 acct-port 1813
 automate-tester username testuser idle-time 2
 key 0 ************
!
radius server nac2
 address ipv4 ***ISE2_IP*** auth-port 1812 acct-port 1813
 automate-tester username testuser idle-time 2
 key 0 *************
!

mac address-table notification change
no access-session mac-move deny

Re: MAB not working

MHM Cisco World — Wed, 23 Mar 2022 22:53:53 GMT

I interest in this case,
can you show
show auth session in port ?

Re: MAB not working

Arne Bier — Wed, 23 Mar 2022 23:24:40 GMT

A Cisco phone

s112#show access-session int gi 1/0/12 details
            Interface:  GigabitEthernet1/0/12
               IIF-ID:  0x1EA91FCE
          MAC Address:  885a.92d9.d0f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.49.44.30
            User-Name:  88-5A-92-D9-D0-F7
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 170391s
    Common Session ID:  420D020A00000635B8E2D488
      Acct Session ID:  0x00000605
               Handle:  0x3e00062b
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: IA-TIMER (priority 150)
         Idle timeout: 60 sec

Server Policies:
           Vlan Group:  Name: Unified_Comms_VLAN_Group,  Vlan: 1208


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

And a Windows laptop (using 802.1X supplicant)

s112#show access-session int gi 1/0/6 details
            Interface:  GigabitEthernet1/0/6
               IIF-ID:  0x1B45AC5B
          MAC Address:  3c97.0e1c.12f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.48.0.10
            User-Name:  3C-97-0E-1C-12-F7
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  65535s (server), Remaining: 63037s
       Timeout action:  Reauthenticate
  Acct update timeout:  172800s (local), Remaining: 170302s
    Common Session ID:  420D020A00000633B8E18E22
      Acct Session ID:  0x00000603
               Handle:  0xc2000629
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: IA-TIMER (priority 150)
         Idle timeout: 60 sec

Server Policies:
      Session-Timeout: 65535 sec
           Vlan Group:  Vlan: 1100


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

When I block all RADIUS traffic to ISE, then it fails the auth and I see this (as expected - emergency VLANs in place)

s112#show access-session interface gig 1/0/12 details
            Interface:  GigabitEthernet1/0/12
               IIF-ID:  0x19038741
          MAC Address:  885a.92d9.d0f7
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  885a92d9d0f7
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 172778s
    Common Session ID:  420D020A00000631B8E01186
      Acct Session ID:  0x00000602
               Handle:  0xdd000627
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: CRITICAL_VOICE_VLAN (priority 150)
           Voice Vlan:  Vlan: 1208
        Service Template: RESTRICTED_AUTH_VLAN (priority 150)
           Vlan Group:  Vlan: 1001

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Failed






s112#show access-session interface gig 1/0/6 details
            Interface:  GigabitEthernet1/0/6
               IIF-ID:  0x1E348BE0
          MAC Address:  3c97.0e1c.12f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.48.0.10
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 172759s
    Common Session ID:  420D020A00000632B8E0AFAB
      Acct Session ID:  0x00000601
               Handle:  0x9c000628
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: CRITICAL_VOICE_VLAN (priority 150)
           Voice Vlan:  Vlan: 1208
        Service Template: RESTRICTED_AUTH_VLAN (priority 150)
           Vlan Group:  Vlan: 1001

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Failed

Interestingly, if the laptop were connected to the back of the phone, then a disaster could happen if the phone were to be in the DATA VLAN for some reason (e.g. it failed ISE auth and landed in a DATA VLAN)... the port shut would then shut down in err-disabled. Why? Because that is the expected result of multi-domain mode - it only allows one MAC address in the DATA domain.

There is no easy way around this. One way might be to enable multi-auth mode, but then it's less secure. But only happens if the phone is in the DATA domain ... which normally should not be the case.

Re: MAB not working

MHM Cisco World — Wed, 23 Mar 2022 23:24:18 GMT

Thanks for sharing this info.

Re: MAB not working

tcatanho — Thu, 24 Mar 2022 09:52:49 GMT

Hello @Arne Bier,

First of all I want o thank you for your time and fast reply.

I'm currently working with Cisco CGR2010 with GRWICDES Software (GRWICDES-IPSERVICESK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4).

@Arne Bier wrote:

If you have endpoints that don't send any Ethernet packets, then MAB will not be triggered.

The endpoint doesn't send any Ethernet packets after I configure the interface with MAB. If I remove this configuration, I start receiving packets and my mac-address table is updated.

@Arne Bier wrote:

After applying the config to an interface, you sometimes have to "shut/no shut", or perform a "clear access-session int ..."

I understand this, I have done it a few times with sucess, but in these specific cases where MAB is not working, this solution doesn't work either.

@Arne Bier wrote:

In that case use static VLANs instead - and port security.

Yes! I have been talking with my team, and the solution will most likely be this. But it is not the same as using MAB and ISE...

Best regards,

Tiago