topic Re: Problem with authentication based on MAC address in Network Access Control

Problem with authentication based on MAC address

lnw-team — Tue, 01 Aug 2023 09:24:18 GMT

Hello,

I am experiencing problems with device authentication based on MAC address in one of our locations. It concerns collaboration devices that cannot be authenticated via certificate. There's a security policy on our Cisco ISE deployment that grants access based on a profile. All devices whose MAC address starts with xxxx.xx should be placed in a separate VLAN. We've got four access switches on site and authentication works fine on three of them. There's no NAD (network access device) condition in a policy. We've got other devices attached to the faulty switch and they are able to authenticate successfully via certificate (EAP-TLS) or other authentication method. It was working fine before but now when dot1x authentication is enabled on a switch port, the switch does not see even MAC address on the interface. Any ideas?

Thank you in advance!

Re: Problem with authentication based on MAC address

Karsten Iwen — Tue, 01 Aug 2023 09:56:08 GMT

With this description, I assume that the last change messed up with the MAB config on the switch. Can you show the Interface-config?

Re: Problem with authentication based on MAC address

lnw-team — Tue, 01 Aug 2023 10:10:02 GMT

MAB is enabled on a port. Interface configuration is the same as on other switches and ports.

Re: Problem with authentication based on MAC address

Karsten Iwen — Tue, 01 Aug 2023 10:29:15 GMT

Does the switch initiate a MAB request? What do you see on the ISE?

Re: Problem with authentication based on MAC address

lnw-team — Tue, 01 Aug 2023 11:22:28 GMT

The point is that I do not see any log messages.

Re: Problem with authentication based on MAC address

Dustin Anderson — Tue, 01 Aug 2023 13:24:23 GMT

So, not seeing a mac on the interface is odd.

So, a couple questions.

1 Are these powered, or PoE devices?

2 Do they work if the port is set as just an access port?

3 Do you have any similar commands on the ports?

authentication order mab dot1x
authentication priority dot1x mab

authentication event fail action next-method

mab

4 What model switch are you using?

Even if everything is failing, you should get a mac on the port so long as the device is talking.

Re: Problem with authentication based on MAC address

thomas — Tue, 01 Aug 2023 14:34:34 GMT

You have provided no actual ISE policy or LiveLog errors so it is difficult to know what your specific issue is. See .

Meanwhile, you should see if any of the scenarios here address your issue:

▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20

Re: Problem with authentication based on MAC address

lnw-team — Wed, 02 Aug 2023 11:35:13 GMT

Hello,

1. These are not PoE devices. They have their own power supply.
2. They work when the port is set for access. No trunk is required.
3. I've got all those commands in interface configuration.
4. C3850

Re: Problem with authentication based on MAC address

Dustin Anderson — Wed, 02 Aug 2023 13:26:44 GMT

ok, so I'm going to summarize from the messages, correct le if i'm wrong.

you have 4 switches in this location, EAP-TLS works on all 4, but MAB is not working on 1. I know you said when you enable dot1x, but that should be running for EAP-TLS, so I'm guessing you meant when you enable mab?

So, pardon if some of this is basic, but I started at a helpdesk.

1) you have rebooted the non working switch?

2) Are all 4 on the same code version?

3) When you enable MAB, does EAP-TLS keep working for other devices?

If the above 3 are yes, then you may need to compare configs from the working and non-working. I would mainly look at the radius and AAA commands. The only other port command I see for MAB is authentication port-control auto. i'm also assuming these work on the other 3 switches.

The odd part is the no mac address. If the switch doesn't get one it will not start MAB. So why does this switch not get a mac.