topic Re: C9200 - MAB set up and not able to ping or access to a shared fold in Network Access Control

C9200 - MAB set up and not able to ping or access to a shared folder

H4MCO.N2RES1 — Wed, 22 Mar 2023 16:39:59 GMT

Hello,

I just installed a C9200 stack and configured the MAB with a RADIUS server. I added the mac address of my 40 users in the RADIUS, then I activated the MAB the necessary ports.

When I did this 2 days ago everything was fine a priori, but today a user pointed out to me that he couldn't access a shared remote folder on a windows server in the same LAN and that the PING towards this server are KO also

I checked the log in the RADIUS, everything is OK, the mac address is authorized

On the switch the port is OK

#show mac address-table | include ca63 18 d08e.790f.ca63 STATIC Gi1/0/10 #arp -a 192.168.100.246 d0-8e-79-0f-ca-63 dynamique #show int status | include Gi1/0/18 Gi1/0/10 connected 18 a-full a-1000 10/100/1000BaseTX

And the server can communicate with the outside (connection on firewall OK)

I tried to debug with no success so I removed the MAB configuration from the port, unplugged/plugged the RJ45 cable and immediately access to the shared folder was OK and ping OK too.

Here's the configuration of my MAB and PORT

aaa new-model ! ! aaa group server radius rad_access server name yyyyyyyyyy ! aaa authentication dot1x default group radius aaa authorization network default group radius local ! ! ! ! ! ! aaa session-id common vtp mode off ! dot1x system-auth-control ! interface GigabitEthernet1/0/10 switchport access vlan 18 switchport mode access authentication port-control auto mab spanning-tree portfast ! radius server yyyyyyyyyy address ipv4 192.168.100.248 auth-port 1812 acct-port 1813 key xxxxxxxxxxxxxxxxx !

The server has been restarted 2 times before I come to debug without success

Can someone help me to debug this situation please?

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Nancy Saini — Wed, 22 Mar 2023 17:24:27 GMT

Nothing seems to be blocking on the switchport. Are you pushing any VLAN for DACL from the RADIUS server which could be blocking traffic to the shared folder. Share the output of "show authentication session interface gig 1/0/10 detail" at the time of issue.

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 10:54:54 GMT

#show authentication session interface gig 1/0/10 detail Interface: GigabitEthernet1/0/10 IIF-ID: 0x162AE369 MAC Address: d08e.790f.ca63 IPv6 Address: Unknown IPv4 Address: Unknown User-Name: d08e790fca63 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0142C80A0000092F0DE04867 Acct Session ID: Unknown Handle: 0xaf000081 Current Policy: POLICY_Gi1/0/10 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecured Server Policies: Method status list: Method State mab Authc Success

---------------

LOG from an other machine that ping this server:

With no MAB and no authentication port-control auto - Ping OK
With MAB and authentication port-control auto I've the following PING log.

Réponse de 192.168.100.246 : octets=32 temps=1 ms TTL=128 Réponse de 192.168.100.246 : octets=32 temps<1ms TTL=128 Réponse de 192.168.100.246 : octets=32 temps<1ms TTL=128 Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Réponse de 192.168.100.250 : Impossible de joindre l'hôte de destination. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé. Délai d'attente de la demande dépassé.

While the authentication is not finished ping is NOK with message "Impossible de joindre l'hôte de destination". and when authentication on RADIUS is done I'm in TIMEOUT with the message "Délai d'attente de la demande dépassé."

----------------

No authentication port-control + No MAB = Connection OK, ping possible in both directions, shared folder access OK

No authentication port-control + MAB = Connection OK, ping possible in both directions, access to the shared folder OK but windows is in limited connection (display no internet)

Authentication port-control + No MAB = No connection, ping not possible in both directions, the server is totally alone.

Authentication port-control + MAB = Connection is not fully OK. Ping only possible from server to anywhere but it cannot be contacted from LAN (ping or shared folder)

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Flavio Miranda — Thu, 23 Mar 2023 11:09:20 GMT

I'd say your problem can be related to this:

#show authentication session interface gig 1/0/10 detail
            Interface:  GigabitEthernet1/0/10
               IIF-ID:  0x162AE369
          MAC Address:  d08e.790f.ca63
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown

I expected to see the IP address there and not Unknown.

When dealing with Radius, first you need to be authenticated and then you get an IP address.

Can you share the output of " show aaa servers" ?

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 12:37:33 GMT

My RADIUS server is only used to validate that the MAC address is authorized to connect to the switch. VLAN is hard set on port configuration and never change with radius authentication.
Then a DHCP service is set up on the Fortigate firewall to distribute the IP addresses.
This server is out of DHCP range and has a fixed IP.

Here is the log you asked for.
The first one "yyyyyyyyyyy" is an oldest RADIUS server that is not set in the "aaa group server radius rad_access"

#show aaa servers RADIUS: id 1, priority 1, host 192.168.100.250, auth-port 1812, acct-port 1813, hostname yyyyyyyyyyy State: current UP, duration 1969545s, previous duration 0s Dead: total time 0s, count 0 Platform State from SMD: current UP, duration 13s, previous duration 0s SMD Platform Dead: total time 0s, count 979 Platform State from WNCD (1) : current UP Platform State from WNCD (2) : current UP Platform State from WNCD (3) : current UP Platform State from WNCD (4) : current UP Platform State from WNCD (5) : current UP Platform State from WNCD (6) : current UP Platform State from WNCD (7) : current UP Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s Platform Dead: total time 0s, count 0UP Quarantined: No Authen: request 9824, timeouts 9824, failover 0, retransmission 7368 Response: accept 0, reject 0, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 2456 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 Dot1x transactions: Response: total responses: 0, avg response time: 0ms Transaction: timeouts 0, failover 0 Transaction: total 0, success 0, failure 0 MAC auth transactions: Response: total responses: 0, avg response time: 0ms Transaction: timeouts 2456, failover 0 Transaction: total 2456, success 0, failure 2456 Author: request 0, timeouts 0, failover 0, retransmission 0 Response: accept 0, reject 0, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 MAC author transactions: Response: total responses: 0, avg response time: 0ms Transaction: timeouts 0, failover 0 Transaction: total 0, success 0, failure 0 Account: request 0, timeouts 0, failover 0, retransmission 0 Request: start 0, interim 0, stop 0 Response: start 0, interim 0, stop 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 Elapsed time since counters last cleared: 3w1d19h5m Estimated Outstanding Access Transactions: 0 Estimated Outstanding Accounting Transactions: 0 Estimated Throttled Access Transactions: 0 Estimated Throttled Accounting Transactions: 0 Maximum Throttled Transactions: access 0, accounting 0 Consecutive Response Failures: total 2455 SMD Platform : max 2455, current 2455 total 2455 WNCD Platform: max 0, current 0 total 0 IOSD Platform : max 0, current 0 total 0 Consecutive Timeouts: total 9823 SMD Platform : max 9823, current 9823 total 9823 WNCD Platform: max 0, current 0 total 0 IOSD Platform : max 0, current 0 total 0 Requests per minute past 24 hours: high - 19 hours, 5 minutes ago: 0 low - 19 hours, 5 minutes ago: 0 average: 0 RADIUS: id 2, priority 2, host 192.168.100.248, auth-port 1812, acct-port 1813, hostname xxxxxxPP01 State: current UP, duration 1469897s, previous duration 0s Dead: total time 0s, count 0 Platform State from SMD: current UP, duration 1464626s, previous duration 0s SMD Platform Dead: total time 0s, count 6 Platform State from WNCD (1) : current UP Platform State from WNCD (2) : current UP Platform State from WNCD (3) : current UP Platform State from WNCD (4) : current UP Platform State from WNCD (5) : current UP Platform State from WNCD (6) : current UP Platform State from WNCD (7) : current UP Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s Platform Dead: total time 0s, count 0UP Quarantined: No Authen: request 2507, timeouts 68, failover 2456, retransmission 51 Response: accept 118, reject 2321, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 955ms Transaction: success 2439, failure 17 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 Dot1x transactions: Response: total responses: 0, avg response time: 0ms Transaction: timeouts 0, failover 0 Transaction: total 0, success 0, failure 0 MAC auth transactions: Response: total responses: 2439, avg response time: 955ms Transaction: timeouts 17, failover 2456 Transaction: total 2456, success 118, failure 2338 Author: request 0, timeouts 0, failover 0, retransmission 0 Response: accept 0, reject 0, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 MAC author transactions: Response: total responses: 0, avg response time: 0ms Transaction: timeouts 0, failover 0 Transaction: total 0, success 0, failure 0 Account: request 0, timeouts 0, failover 0, retransmission 0 Request: start 0, interim 0, stop 0 Response: start 0, interim 0, stop 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Malformed responses: 0 Bad authenticators: 0 Elapsed time since counters last cleared: 2w3d18m Estimated Outstanding Access Transactions: 0 Estimated Outstanding Accounting Transactions: 0 Estimated Throttled Access Transactions: 0 Estimated Throttled Accounting Transactions: 0 Maximum Throttled Transactions: access 0, accounting 0 Consecutive Response Failures: total 16 SMD Platform : max 16, current 0 total 16 WNCD Platform: max 0, current 0 total 0 IOSD Platform : max 0, current 0 total 0 Consecutive Timeouts: total 67 SMD Platform : max 67, current 0 total 67 WNCD Platform: max 0, current 0 total 0 IOSD Platform : max 0, current 0 total 0 Requests per minute past 24 hours: high - 0 hours, 18 minutes ago: 0 low - 0 hours, 18 minutes ago: 0 average: 0

If that can help to investigate, I've this problem only for this server.
As example, I've an user that is connected today on port gi1/0/15 with MAC adress c81f663e7709 and IP 192.168.100.232

Here is the details on Cisco

#show mac address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0180.c200.0000 STATIC CPU All 0180.c200.0001 STATIC CPU All 0180.c200.0002 STATIC CPU All 0180.c200.0003 STATIC CPU All 0180.c200.0004 STATIC CPU All 0180.c200.0005 STATIC CPU All 0180.c200.0006 STATIC CPU All 0180.c200.0007 STATIC CPU All 0180.c200.0008 STATIC CPU All 0180.c200.0009 STATIC CPU All 0180.c200.000a STATIC CPU All 0180.c200.000b STATIC CPU All 0180.c200.000c STATIC CPU All 0180.c200.000d STATIC CPU All 0180.c200.000e STATIC CPU All 0180.c200.000f STATIC CPU All 0180.c200.0010 STATIC CPU All 0180.c200.0021 STATIC CPU All ffff.ffff.ffff STATIC CPU 1 6026.aad9.da19 DYNAMIC Po3 1 6026.aad9.da1a DYNAMIC Po3 66 0009.0f09.0006 DYNAMIC Po3 66 04bd.97a5.854b STATIC Vl66 2 0000.5e00.0105 DYNAMIC Po3 2 0009.0f09.0006 DYNAMIC Po3 12 001a.a006.e6db DYNAMIC Po3 18 0009.0f09.0006 DYNAMIC Po3 18 c81f.663e.7709 STATIC Gi1/0/15 18 d08e.790f.ca63 DYNAMIC Gi1/0/10 18 f01f.afe1.886b DYNAMIC Po3 18 f01f.afe3.256d DYNAMIC Po3 Total Mac Addresses for this criterion: 33 #show authentication session interface gig 1/0/15 detail Interface: GigabitEthernet1/0/15 IIF-ID: 0x13357A83 MAC Address: c81f.663e.7709 IPv6 Address: Unknown IPv4 Address: Unknown User-Name: c81f663e7709 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session timeout: N/A Common Session ID: 0142C80A000004F608B9130B Acct Session ID: Unknown Handle: 0x8e000074 Current Policy: POLICY_Gi1/0/15 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Security Status: Link Unsecured Server Policies: Method status list: Method State mab Authc Success # show run int Gi1/0/15 Building configuration... Current configuration : 153 bytes ! interface GigabitEthernet1/0/15 switchport access vlan 18 switchport mode access authentication port-control auto mab spanning-tree portfast end

There is no IP in the authentication details but I can ping it without problem

>ping 192.168.100.232 Envoi d'une requête 'Ping' 192.168.100.232 avec 32 octets de données : Réponse de 192.168.100.232 : octets=32 temps=1 ms TTL=128 Réponse de 192.168.100.232 : octets=32 temps<1ms TTL=128 Réponse de 192.168.100.232 : octets=32 temps<1ms TTL=128 Statistiques Ping pour 192.168.100.232: Paquets : envoyés = 3, reçus = 3, perdus = 0 (perte 0%), Durée approximative des boucles en millisecondes : Minimum = 0ms, Maximum = 1ms, Moyenne = 0ms Ctrl+C

Thank you for your support

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Flavio Miranda — Thu, 23 Mar 2023 13:23:39 GMT

Hello,

As per the logs, I'd say the authentication is not happening.

Authen: request 9824, timeouts 9824, failover 0, retransmission 7368
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 2456
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
             Dot1x transactions:
             Response: total responses: 0, avg response time: 0ms
             Transaction: timeouts 0, failover 0
             Transaction: total 0, success 0, failure 0
             MAC auth transactions:
             Response: total responses: 0, avg response time: 0ms
             Transaction: timeouts 2456, failover 0
             Transaction: total 2456, success 0, failure 2456

Basiacally all the communication is failling between switch and Radius.

Which Radius server you have?

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 13:44:13 GMT

I use DaloRADIUS a web management application It is based on a FreeRADIUS deployment with a database server serving as the backend.

Here is the logs that I've on the connexion for this mac adress. All other MAC are in Access-Accept too.

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Flavio Miranda — Thu, 23 Mar 2023 14:45:24 GMT

But as we can see almost all packets for authentication in failure status, the radius may receive the authentication packets, authorize but not reply to switch or reply and the switch is not receive or yet receiving but not processing.

Try to run some debugs

debug mab all & debug authentication all

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Christopher Bell — Thu, 23 Mar 2023 14:51:02 GMT

Post 'show run aaa' (cleaned of your shared secrets of course)

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 14:51:57 GMT

Here is a tcpdump of my Radius server when I connect the Windows server on switch
The RADIUS reply with an accept.

tcpdump -i any host 10.200.66.1 or host 192.168.100.246 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:35:46.667183 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:35:47.659892 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:35:48.659845 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:35:59.518984 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:00.509493 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:01.509460 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:03.145967 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:04.139415 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:05.139357 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46 15:36:08.233163 IP 10.200.66.1.58284 > XXXXXXPP01.radius: RADIUS, Access-Request (1), id: 0x0e length: 324 15:36:08.235330 IP XXXXXXPP01.radius > 10.200.66.1.58284: RADIUS, Access-Accept (2), id: 0x0e length: 20 15:36:10.325667 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46 15:36:10.376966 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46 15:36:10.397768 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46 15:36:20.492285 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46 -------------- tcpdump -nn -e -vvv -i any host 10.200.66.1 or host 192.168.100.246 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:35:46.667175 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:35:47.659881 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:35:48.659838 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:35:59.518973 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:00.509484 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:01.509452 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:03.145959 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:04.139406 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:05.139350 B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46 15:36:08.233156 In 00:09:0f:09:00:06 ethertype IPv4 (0x0800), length 368: (tos 0x0, ttl 63, id 48797, offset 0, flags [none], proto UDP (17), length 352) 10.200.66.1.58284 > 192.168.100.248.1812: [udp sum ok] RADIUS, length: 324 Access-Request (1), id: 0x0e, Authenticator: c2384b46d5df7b808958fc374765dc1c User-Name Attribute (1), length: 14, Value: d08e790fca63 0x0000: 6430 3865 3739 3066 6361 3633 User-Password Attribute (2), length: 18, Value: 0x0000: f2cb eeca ab49 ada2 220a 2feb 5d0d 40de Service-Type Attribute (6), length: 6, Value: Call Check 0x0000: 0000 000a Vendor-Specific Attribute (26), length: 31, Value: Vendor: Cisco (9) Vendor Attribute: 1, Length: 23, Value: service-type=Call Check 0x0000: 0000 0009 0119 7365 7276 6963 652d 7479 0x0010: 7065 3d43 616c 6c20 4368 6563 6b Framed-MTU Attribute (12), length: 6, Value: 1468 0x0000: 0000 05bc Message-Authenticator Attribute (80), length: 18, Value: q4g.o\Y.j.... 0x0000: 7134 67f6 6f5c 5996 6afd bde6 f400 a937 Unknown Attribute (102), length: 2, Value: Vendor-Specific Attribute (26), length: 49, Value: Vendor: Cisco (9) Vendor Attribute: 1, Length: 41, Value: audit-session-id=0142C80A00000A160EDD6437 0x0000: 0000 0009 012b 6175 6469 742d 7365 7373 0x0010: 696f 6e2d 6964 3d30 3134 3243 3830 4130 0x0020: 3030 3030 4131 3630 4544 4436 3433 37 Vendor-Specific Attribute (26), length: 18, Value: Vendor: Cisco (9) Vendor Attribute: 1, Length: 10, Value: method=mab 0x0000: 0000 0009 010c 6d65 7468 6f64 3d6d 6162 Vendor-Specific Attribute (26), length: 31, Value: Vendor: Cisco (9) Vendor Attribute: 1, Length: 23, Value: client-iif-id=428417217 0x0000: 0000 0009 0119 636c 6965 6e74 2d69 6966 0x0010: 2d69 643d 3432 3834 3137 3231 37 Vendor-Specific Attribute (26), length: 18, Value: Vendor: Cisco (9) Vendor Attribute: 1, Length: 10, Value: vlan-id=18 0x0000: 0000 0009 010c 766c 616e 2d69 643d 3138 NAS-IP-Address Attribute (4), length: 6, Value: 10.200.66.1 0x0000: 0ac8 4201 NAS-Port-Id Attribute (87), length: 23, Value: GigabitEthernet1/0/10 0x0000: 4769 6761 6269 7445 7468 6572 6e65 7431 0x0010: 2f30 2f31 30 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f NAS-Port Attribute (5), length: 6, Value: 50110 0x0000: 0000 c3be Calling-Station-Id Attribute (31), length: 19, Value: D0-8E-79-0F-CA-63 0x0000: 4430 2d38 452d 3739 2d30 462d 4341 2d36 0x0010: 33 NAS-Identifier Attribute (32), length: 14, Value: XXXXXXSWPP01 0x0000: 4752 4454 4f55 5357 5050 3031 Called-Station-Id Attribute (30), length: 19, Value: 04-BD-97-A5-85-0A 0x0000: 3034 2d42 442d 3937 2d41 352d 3835 2d30 0x0010: 41 15:36:08.235319 Out 00:19:b9:dd:49:37 ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 26914, offset 0, flags [none], proto UDP (17), length 48) 192.168.100.248.1812 > 10.200.66.1.58284: [bad udp cksum 0x7297 -> 0x3bac!] RADIUS, length: 20 Access-Accept (2), id: 0x0e, Authenticator: f56346097ace1b2dc95b5f0ff53d75ab 15:36:10.325659 B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46 15:36:10.376961 B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46 15:36:10.397762 B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46 15:36:20.492278 B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Flavio Miranda — Thu, 23 Mar 2023 14:52:31 GMT

Also, as this is a FreeRadius, if you have access to the Linux server, run tcpdump to make sure you see packets in out from servr to switch and vice-versa

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 15:26:54 GMT

#show run aaa ! aaa authentication dot1x default group radius aaa authorization network default group radius local username xxxxxxxxx secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! ! ! ! ! radius server yyyyyyyyyy address ipv4 192.168.100.250 auth-port 1812 acct-port 1813 key procurve ! radius server xxxxxxPP01 address ipv4 192.168.100.248 auth-port 1812 acct-port 1813 key procurve ! ! aaa group server radius rad_access server name xxxxxxPP01 ! ! ! ! aaa new-model aaa session-id common ! !

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 16:10:32 GMT

Here is the log for debug mab all & debug authentication all

XXXXXXSWPP01#term mon XXXXXXSWPP01#show debug Packet Infra debugs: Ip Address Port ------------------------------------------------------|---------- XXXXXXSWPP01#debug mab all All MAC Authentication Bypass debugging is on XXXXXXSWPP01#debug authentication all All Auth Manager debugging is on XXXXXXSWPP01# XXXXXXSWPP01# *Mar 23 15:53:34.846: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface *Mar 23 15:53:34.846: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 *Mar 23 15:53:34.846: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 *Mar 23 15:53:36.443: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up *Mar 23 15:53:37.444: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up *Mar 23 15:53:54.859: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface *Mar 23 15:53:54.859: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 *Mar 23 15:53:54.859: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 *Mar 23 15:53:54.862: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface *Mar 23 15:53:54.862: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 *Mar 23 15:53:54.862: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 *Mar 23 15:53:54.863: AUTH-EVENT: [Gi1/0/10] Incremented Session Count, new Count = 1

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Christopher Bell — Thu, 23 Mar 2023 16:25:34 GMT

Change:
aaa authentication dot1x default group radius

aaa authorization network default group radius local

To:

aaa authentication dot1x default group rad_access

aaa authorization network default group rad_access

Then try again.

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Christopher Bell — Thu, 23 Mar 2023 16:29:10 GMT

Also, ensure your shared secret for both radius servers is the same as what you have configured on the switch.

Re: C9200 - MAB set up and not able to ping or access to a shared fold

H4MCO.N2RES1 — Thu, 23 Mar 2023 17:01:25 GMT

xxxxxxSWPP01(config)#aaa authentication dot1x default group rad_access xxxxxxSWPP01(config)#aaa authorization network default group rad_access xxxxxxSWPP01(config)#end xxxxxxSWPP01# xxxxxxSWPP01# xxxxxxSWPP01# xxxxxxSWPP01# xxxxxxSWPP01# Mar 23 16:42:30.601: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface Mar 23 16:42:30.601: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 Mar 23 16:42:30.601: AUTH-EVENT: [Gi1/0/10] mac seen: 0 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 Mar 23 16:42:30.603: AUTH-EVENT: [Gi1/0/10] Decremented Session Count, new Count = 0 Mar 23 16:42:30.604: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface Mar 23 16:42:30.604: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 Mar 23 16:42:30.604: AUTH-EVENT: [Gi1/0/10] mac seen: 0 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 Mar 23 16:42:31.589: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to down Mar 23 16:42:32.589: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to down Mar 23 16:42:34.577: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface Mar 23 16:42:34.577: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 Mar 23 16:42:34.577: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 0 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 Mar 23 16:42:34.589: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface Mar 23 16:42:34.589: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 Mar 23 16:42:34.589: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 Mar 23 16:42:34.592: AUTH-EVENT: [Gi1/0/10] No session limit or profile present on interface Mar 23 16:42:34.593: AUTH-EVENT: [Gi1/0/10] Got Session limit as 0 for interface Gi1/0/10 Mar 23 16:42:34.593: AUTH-EVENT: [Gi1/0/10] mac seen: 1 authz count[DATA]: 1 authz count[UNKNOWN]: 0 open access: 0 replace open set: 0 notify all: 1 block notification: 0 Mar 23 16:42:34.593: AUTH-EVENT: [Gi1/0/10] Incremented Session Count, new Count = 1 Mar 23 16:42:36.401: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up Mar 23 16:42:37.402: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up

I understand my error but I don't understand why my radius works.
So if I understand the correction that was made, I had configured the radius to query the wrong group.

I misunderstood the command and for me "aaa authentication dot1x default group radius" queries by default the group configured for the radius method when it is the name of the group itself.

On the other hand I do not understand why my RADIUS server received requests, accepted them or rejected them and that the stations were authorized or not to connect in spite of that. It remains a mystery.

Thank you very much for the time you took to help me.

Re: C9200 - MAB set up and not able to ping or access to a shared fold

Christopher Bell — Thu, 23 Mar 2023 17:17:07 GMT

Glad it worked. AAA configs are finicky, it always pays to keep them 'clean'.