topic Re: MAB authentication instead 802.1x on pc in Network Access Control

MAB authentication instead 802.1x on pc

m.rivoltella — Fri, 08 Apr 2022 09:22:46 GMT

Goodmorning. we have the followinh problem. On some pc, in random moment, cisco ise authenticate pc using MAB instead 802.1x. So the user reboot the pc or remove & reinsert the ehternet cable and the pc can reauthenticate using user account.

into the ise log i see that the pc is find into AD but try to use MAB and than fail.

802.1x on pc is enabled with GPO. The ip phone (yealink) can authenticate successfully using mab

we have hp aruba 2930 switch.

here the config:

radius-server host 172.18.253.247 key "XXXXXXX"
radius-server host 172.18.253.247 dyn-authorization
aaa server-group radius "ISE" host xxx.xxx.xxx.xxx
aaa authentication num-attempts 10
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius server-group "ISE"
aaa authentication mac-based chap-radius server-group "ISE"
aaa port-access authenticator 1/1-1/8,1/10-1/19,1/21-1/46,2/10-2/24,2/26-2/32,2/34-2/44,2/46,3/1-3/47
aaa port-access authenticator x/y client-limit 3
aaa port-access authenticator active
aaa port-access mac-based 1/1-1/8,1/10-1/19,1/21-1/46,2/10-2/24,2/26-2/32,2/34-2/44,2/46,3/1-3/47
aaa port-access mac-based x/y addr-limit 3
aaa port-access mac-based x/y reauth-period 60

cisco ise log and cisco ise config is attached

thanks for helping!!

Re: MAB authentication instead 802.1x on pc

MHM Cisco World — Fri, 08 Apr 2022 13:28:49 GMT

can I see the config of one port ?

Re: MAB authentication instead 802.1x on pc

m.rivoltella — Fri, 08 Apr 2022 13:49:27 GMT

for example:

interface 2/42
tagged vlan 66
untagged vlan 21
aaa port-access authenticator
aaa port-access authenticator client-limit 3
aaa port-access mac-based
aaa port-access mac-based addr-limit 3
aaa port-access mac-based reauth-period 60
exit

vlan 66 is voice vlan for phone

vlan 21 is lan vlan for pc

Re: MAB authentication instead 802.1x on pc

MHM Cisco World — Sat, 09 Apr 2022 11:16:29 GMT

I see only MAC-Based so PC use MAC-Based.

but you can try enable 802.1x-based also if SW support both Auth in same port.

Re: MAB authentication instead 802.1x on pc

m.rivoltella — Mon, 11 Apr 2022 07:05:30 GMT

Hi,

this aaa port-access authenticator and this aaa port-access authenticator client-limit 3 are the command to enable 802.1x authentication user-based (https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s05.html and https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02642107)

Re: MAB authentication instead 802.1x on pc

thomas — Tue, 12 Apr 2022 15:58:21 GMT

Your ISE log was helpful to understand how and why it was falling back to MAB.

Try turning OFF "Fallback to unauthorized network access" on your supplicant so it will only do 802.1X.

Re: MAB authentication instead 802.1x on pc

MHM Cisco World — Tue, 12 Apr 2022 16:03:33 GMT

@thomas but the client is first try 802.1x and then failed and try MAB.
I think that he need
reauth command to make client always reauth and if it not reauth the client will delete form ISE.

Re: MAB authentication instead 802.1x on pc

thomas — Tue, 12 Apr 2022 16:18:26 GMT

If 802.1X failed, why did it fail? You only showed the MAB authentication.

The user may unplug and replug their cable to have the switch start 802.1X or they can login and logout and that will trigger 802.1X from the client side.

I don't know what re-authentication command you are expecting them to use on their computer.

Re: MAB authentication instead 802.1x on pc

MHM Cisco World — Wed, 13 Apr 2022 00:37:22 GMT

Re auth command in switch not client.

this force sw to Start 802.1x again for this port.

Re: MAB authentication instead 802.1x on pc

m.rivoltella — Wed, 13 Apr 2022 06:56:57 GMT

Hi, yesterday i have set tx period on switch

aaa port-access authenticator 3/35 tx-period 1

(Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds))

so, now retansmit every seconds.

@thomas i try to remove the flag, thanks

@MHM Cisco World the re auth is already set, if you see the config there is reauth-period 60 for the mac-based, should i set it also for aaa port-access authenticator?

thanks to everyone!

Re: MAB authentication instead 802.1x on pc

m.rivoltella — Wed, 13 Apr 2022 07:07:58 GMT

here the config of gpo.

Re: MAB authentication instead 802.1x on pc

MHM Cisco World — Wed, 13 Apr 2022 07:57:23 GMT

Yes you need re auth for 802.1x

Re: MAB authentication instead 802.1x on pc

m.rivoltella — Fri, 15 Apr 2022 07:57:10 GMT

Hi, @MHM Cisco World with reauth enable it was a disaster :D. the PCs lost their network and never re-authenticated themselves

@thomas i've try to remove the flag but the problem still persists

thanks

Re: MAB authentication instead 802.1x on pc

thomas — Fri, 15 Apr 2022 15:31:24 GMT

Does it do 802.1X if you remove

aaa authentication mac-based chap-radius server-group "ISE"

At this point it appears to be a problem with your HP switch configuration.

Your endpoint supplicant looks OK.

Try other endpoints to verify it is not this one endpoint, also.