topic Re: Cisco Switch AAA Authencation in Network Access Control

Cisco Switch AAA Authencation

Mahendervyas35821 — Thu, 18 Jan 2024 16:45:58 GMT

Hi Friends,

Was trying to do AAA authentication for Radius and observed one issue.

When i put authentication open then Dot1x and mab both works fine but when i do not configure authentication open command dot1x works fine but mab device does not work in this scenerio.

please find my interface commands.

interface Ethernet0/1
switchport access vlan 20
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator

Re: Cisco Switch AAA Authencation

Charlie Moreton — Thu, 18 Jan 2024 16:49:52 GMT

use this:

authentication order mab dot1x

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Thu, 18 Jan 2024 16:58:03 GMT

Hi @Charlie Moreton

I tried this command as well.

It is of no use.

Even tried only mab.

Until i give authentication open command mab is not working.

Re: Cisco Switch AAA Authencation

Rob Ingram — Thu, 18 Jan 2024 17:00:28 GMT

@Mahendervyas35821 look in the ISE live logs and confirm what authorisation rule the MAB endpoints match, it must receive an access-accept.

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Thu, 18 Jan 2024 17:02:24 GMT

HI @Rob Ingram

If authentication session starts from Switc then ISE policy is matching and works, But authentication session is not starting until i configure authentication open command in Switch interface.

Re: Cisco Switch AAA Authencation

Rob Ingram — Thu, 18 Jan 2024 17:07:54 GMT

@Mahendervyas35821 provide screenshot of ISE live logs the endpoint matches.

From the switch please provide - "show authentication session interface x/y/z detail" when in closed mode and another in open mode for comparison.

Turn on aaa/radius debugs when in closed mode and provide the output.

Re: Cisco Switch AAA Authencation

MHM Cisco World — Thu, 18 Jan 2024 17:14:41 GMT

What is the source you use to connect to radius is it vlan 20 SVI?

MHM

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Fri, 19 Jan 2024 07:08:35 GMT

Hi @Rob Ingram

please find output of authentication open and closed status.

If authentication closed configured there is no authentication session starts.

Auth open status.

Auth close status.

Re: Cisco Switch AAA Authencation

MHM Cisco World — Fri, 19 Jan 2024 07:23:13 GMT

friend,
the only reason that in my mind you use VLAN 20 SVI to connect to AAA and this SVI is down when there are no L2 port in that VLAN.
so I will ask you again are you use VLAN20 as source ?
MHM

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Fri, 19 Jan 2024 07:48:08 GMT

@MHM Cisco World

Nothing to do with SVI, only issue with MAB.

Everything works fine if i use dot1x supplicant.If i use MAB supplicant then authentication does not start.

Even for MAB supplicant if i use authentication open command everything works fine but i dont want to keep authentication open.

i am not sure why your pointing this issue to SVI as there is nothing to do with SVI or L2 vlan, routing and SVI works fine.

Re: Cisco Switch AAA Authencation

MHM Cisco World — Fri, 19 Jan 2024 08:06:18 GMT

try below (you must sure that there is no client already authc/authz in this port )
interface Ethernet0/X
switchport access vlan 20
switchport mode access
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication control-direction both
authentication host-mode single
mab
dot1x pae authenticator

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Fri, 19 Jan 2024 08:13:48 GMT

@MHM Cisco World Tried this as well.

No luck same issue.

Authentication does not start.

Note :- this is lab environment with eve-ng

Re: Cisco Switch AAA Authencation

MHM Cisco World — Fri, 19 Jan 2024 08:16:41 GMT

first what you config is not same as I share
and if you use same command and
debug mab all <<- dont see any packets
then is eve-ng issue not your config issue

I see same issue week ago.
sorry this Virtual Lab limitation

MHM

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Fri, 19 Jan 2024 08:29:38 GMT

Hi Think its a EVE-NG limitations,

if i enable only MAB even then i dont see any packets.

Re: Cisco Switch AAA Authencation

MHM Cisco World — Fri, 19 Jan 2024 08:34:32 GMT

Yes, sorry for this bad news
have a nice weekend
MHM

Re: Cisco Switch AAA Authencation

Mahendervyas35821 — Fri, 19 Jan 2024 08:46:36 GMT

@MHM Cisco World Just wanted to know when you faced similar issue in lab, is it fixed for you.

Re: Cisco Switch AAA Authencation

MHM Cisco World — Fri, 19 Jan 2024 09:45:00 GMT

what is the ver. of Eve-ng you use ?
MHM