12-24-2020 03:56 AM
I have a WS-C2960CX-8PC-L running IOS 15.2(4)E2 with dot1.x, and MAB authentication schema enabled.
Were trying to get MAB working with Microsoft NPS, and the NPS part looks good in the logs - the MAC-address is looked up, the authorization profile is correct. But on the switch I get the following:
Dec 24 18:35:46: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 24 18:35:46: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 24 18:35:46: RADIUS(00000000): Config NAS IPv6: ::
Dec 24 18:35:46: RADIUS(00000000): sending
Dec 24 18:35:46: RADIUS/ENCODE: Best Local IP-Address 192.168.14.250 for Radius-Server 192.168.1.23
Dec 24 18:35:46: RADIUS(00000000): Send Access-Request to 192.168.1.23:1812 id 1645/93, len 264
Dec 24 18:35:46: RADIUS: authenticator 4D D3 2E AA 74 0B 3F 94 - B5 AB B5 B8 A2 2B 8D 90
Dec 24 18:35:46: RADIUS: User-Name [1] 14 "0017fcfbed38"
Dec 24 18:35:46: RADIUS: User-Password [2] 18 *
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Call Check [10]
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 31
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Dec 24 18:35:46: RADIUS: Framed-MTU [12] 6 1500
Dec 24 18:35:46: RADIUS: Called-Station-Id [30] 19 "00-5F-86-55-39-87"
Dec 24 18:35:46: RADIUS: Calling-Station-Id [31] 19 "00-17-FC-FB-ED-38"
Dec 24 18:35:46: RADIUS: Message-Authenticato[80] 18
Dec 24 18:35:46: RADIUS: F5 9B EA 5F F4 B9 27 70 2A 5B BB 39 E7 A1 48 24 [ _'p*[9H$]
Dec 24 18:35:46: RADIUS: EAP-Key-Name [102] 2 *
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 49
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1E0EFA0000000C0001732A"
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 18
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 12 "method=mab"
Dec 24 18:35:46: RADIUS: Framed-IP-Address [8] 6 192.168.15.5
Dec 24 18:35:46: RADIUS: NAS-IP-Address [4] 6 192.168.14.250
Dec 24 18:35:46: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7"
Dec 24 18:35:46: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 24 18:35:46: RADIUS: NAS-Port [5] 6 50107
Dec 24 18:35:46: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 24 18:35:46: RADIUS(00000000): Started 5 sec timeout
Dec 24 18:35:46: RADIUS: Received from id 1645/93 192.168.1.23:1812, Access-Accept, len 89
Dec 24 18:35:46: RADIUS: authenticator 14 19 9B 6F C7 C7 00 12 - 95 19 FA 84 14 8E C6 69
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Framed [2]
Dec 24 18:35:46: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Dec 24 18:35:46: RADIUS: Ascend-Auth-Type [81] 5 858796096
Dec 24 18:35:46: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Dec 24 18:35:46: RADIUS: Class [25] 46
Dec 24 18:35:46: RADIUS: A3 65 09 45 00 00 01 37 00 01 02 00 AC 1F 01 17 00 00 00 00 C4 9E 0B E7 3F 40 F0 06 01 D6 CF 4F F5 55 12 51 00 00 00 00 00 00 00 BB [ eE7?@OUQ]
Dec 24 18:35:46: RADIUS(00000000): Received from id 1645/93
Dec 24 18:35:46: RADIUS: unsupported value 858796096 in attribute 81
Dec 24 18:35:46: RADIUS/DECODE: Ascend auth type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: decoder; FAIL
Dec 24 18:35:46: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: parse response op decode; FAIL
Dec 24 18:35:46: %MAB-5-FAIL: Authentication failed for client (0017.fcfb.ed38) on Interface Gi0/7 AuditSessionID AC1E0EFA0000000C0001732A
It recognizes the attributes 64 and 65, but the Tunnel-private-group-id that contains the actual VLAN number is unsupported.
Radius attribute 81 is "Tunnel-private-group-id" but in my cisco switch it is "Ascend-Auth-Type".
the other cisco switches work correctly.
12-24-2020 04:05 AM - edited 12-24-2020 04:06 AM
Not sure how is your switch config : worth checking this BLOG :
https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/
community thread also can help you :
Still has issue provide the config of the switch,.
12-24-2020 04:24 AM - edited 12-24-2020 04:27 AM
my config is correct and all the other switches work perfect. but this switch is acting up.
here is my switch configuration:
MY_Switch#sho run
Building configuration...
version 15.2
no service pad
service password-encryption
!
aaa group server radius SERVERS-GROUP
server name NPS_PRIMARY
!
aaa authentication login ADMIN-LOGIN group AAAG-ADMIN local
aaa authentication dot1x default group SERVERS-GROUP
aaa authorization console
aaa authorization exec ADMIN-LOGIN group AAAG-ADMIN local if-authenticated
aaa authorization network default group SERVERS-GROUP
aaa accounting dot1x default start-stop group SERVERS-GROUP
aaa accounting exec default start-stop group AAAG-ADMIN
aaa accounting system default start-stop group AAAG-ADMIN
!
!
!
dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge bpduguard default
spanning-tree extend system-id
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 1800
!
!
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/7
switchport access vlan 40
switchport mode access
switchport voice vlan 200
ip arp inspection limit rate 50
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer inactivity 60
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 120
dot1x timeout held-period 20
storm-control broadcast level 15.00
storm-control multicast level 15.00
storm-control unicast level 90.00 65.00
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 50
!
interface GigabitEthernet0/12
description Uplink CoreSwitch
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan250
ip address 192.168.14.250 255.255.255.128
no ip route-cache
!
ip default-gateway 192.168.14.254
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh version 2
radius server NPS_PRIMARY
address ipv4 192.168.1.23 auth-port 1812 acct-port 1813
non-standard
key 7 xxxxxxxxxxxxxxxxxxxxxxx
!
12-24-2020 04:33 AM
all the other switches are working correct but this switch is acting up.
here is my switch config
MY_Switch#sho run
Building configuration...
version 15.2
no service pad
service password-encryption
!
aaa group server radius SERVERS-GROUP
server name NPS_PRIMARY
!
aaa authentication login ADMIN-LOGIN group AAAG-ADMIN local
aaa authentication dot1x default group SERVERS-GROUP
aaa authorization console
aaa authorization exec ADMIN-LOGIN group AAAG-ADMIN local if-authenticated
aaa authorization network default group SERVERS-GROUP
aaa accounting dot1x default start-stop group SERVERS-GROUP
aaa accounting exec default start-stop group AAAG-ADMIN
aaa accounting system default start-stop group AAAG-ADMIN
!
!
!
dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge bpduguard default
spanning-tree extend system-id
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 1800
!
!
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/7
switchport access vlan 40
switchport mode access
switchport voice vlan 200
ip arp inspection limit rate 50
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer inactivity 60
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 120
dot1x timeout held-period 20
storm-control broadcast level 15.00
storm-control multicast level 15.00
storm-control unicast level 90.00 65.00
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 50
!
interface GigabitEthernet0/12
description Uplink CoreSwitch
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan250
ip address 192.168.14.250 255.255.255.128
no ip route-cache
!
ip default-gateway 192.168.14.254
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh version 2
radius server NPS_PRIMARY
address ipv4 192.168.1.23 auth-port 1812 acct-port 1813
non-standard
key 7 xxxxxxxxxxxxxxxxxxxxxxx
!
12-24-2020 04:54 AM
what about other switches working ? what model and what version of code that is ?
if that is the case could be bug in "version 15.2" ? any chance to upgrade or degrade and test it ?
12-24-2020 05:16 AM
I have a WS-C2960S-48TS-L running IOS 12.2(55)SE3 and it is ok
12-25-2020 06:44 PM
authentication order mab dot1x
authentication priority dot1x mab<- change this to priority mab dot1x
if the some client is support only mab and other support dot1x.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide