Re: EVE-NG MAB not Working as expected

ryanmbess · ‎01-09-2024

i'm attempting to learn ISE. To start i'm working on the basics of just getting windows endpoints authenticated and authorized in ISE via 802.1x using Peap (EAP-MSCHAPv2) and Mab. I have 3 windows 11 PCs hooked into my lab and 2 of them have the suplicant enabled and the third doesn't. The two that have the supplicant enabled do eap just fine and are properly authenticated/authorized. For the one that doesn't when i do pcaps on the link, with the below config i NEVER see the switch attempt an epol request to the endpoint. I've shut no shut the interface countless times and nothing. The only way i can get MAB to work is by enabling authentication open. Even still, the switch doesn't do any sort of epol start request against the windows 11 endpoint. Is anyone else seeing this in their labs? I have dot1x system-auth-control enable. Any ideas?

Images attempted:

1. Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version 15 .2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 10-May-18 02:45 by mmen

2. Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 29-Sep-20 11:53 by sweickge

switch config:

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw
!
boot-start-marker
boot-end-marker
!
!
enable password password
!
username admin privilege 15 password 0 password
aaa new-model
!
!
aaa group server radius ise-group
server name ise
ip radius source-interface Vlan1
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 172.255.255.251 server-key Iseradius
!
aaa session-id common
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option number 50
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list lldp-list
tlv name chassis-id
tlv name management-address
tlv number 28
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv number 34
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor accounting
device-sensor notify all-changes
!
!
!
!
!
!
!
!
ip domain-name lab.com
ip name-server 172.255.255.250
ip device tracking probe auto-source
ip cef
no ipv6 cef
!
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
description Win11-1
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description Win11-2
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
description Win11-1
switchport mode access
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Vlan1
ip address 172.255.254.3 255.255.255.0
!
ip default-gateway 172.255.254.1
ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 172.255.254.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
ip radius source-interface Vlan1
!
!
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 3
!
radius server ise
address ipv4 172.255.255.251 auth-port 1812 acct-port 1813
key Iseradius
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
!
end

MHM Cisco World · ‎01-09-2024

show authentication session interface x/x <<- share this when .1x not work
MHM

ryanmbess · ‎01-10-2024

Hello @MHM Cisco World thanks for helping. Here is the data.

Currently Gi0/3 has authentication open. This results in the below. During the session below i was running a pcap within EVE-NG and at no time did G0/3 ever initiate any sort of EPOL message to the windows 11 computer connected to it. Am I correct in that the switch should always attempt to do 802.1x with the endpoint regardless of if authentication open is enabled or not?

show authentication sessions interface G0/3.

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi0/3 5000.000b.0000 mab DATA Auth ACFFFE030000000F0064D8B2

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
7 0 dot1xSupp
6 5 dot1x
11 10 mab
9 15 webauth

With no authentication open on the interface and doing a shut > no shut OR removing the cable and adding it back we again see no epol packets being sent to the device. This results in the below. I did wait ~ 5 minutes before running this command just to ensure all timers had the ability to expire and run again.

#show authentication sessions interface G0/3
No sessions match supplied criteria.

Runnable methods list:
Handle Priority Name
7 0 dot1xSupp
6 5 dot1x
11 10 mab
9 15 webauth

Alot of the video's i see around eve-ng and 802.1x say to put authentication open on the interface. This does seem to result in a valid mab auth however, i believe most of those vides are not digging into what is happening (i.e. you don't see the switch doing the epol message to the endpoint connected to it which it should)

MHM Cisco World · ‎01-10-2024

show authentication sessions interface G0/3 details <<- I need to see this in both cases when it work and when it not work
MHM

ryanmbess · ‎01-10-2024

With details:

With authentication open: See the attached file authentication open ise. While the switch says it is not authorized, from the ISE perspective it shows as permit

*Jan 10 14:20:30.214: %MAB-5-FAIL: Authentication failed for client (5000.000b.0000) on Interface Gi0/3 AuditSessionID ACFFFE0300000012005D173A
#show authentication sessions interface G0/3 details
Interface: GigabitEthernet0/3
MAC Address: 5000.000b.0000
IPv6 Address: Unknown
IPv4 Address: 172.255.254.6
User-Name: 5000000b0000
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Restart timeout: 60s (local), Remaining: 12s
Periodic Acct timeout: N/A
Session Uptime: 124s
Common Session ID: ACFFFE0300000012005D173A
Acct Session ID: Unknown
Handle: 0x37000006
Current Policy: POLICY_Gi0/3

Method status list:
Method State

dot1x Stopped
mab Stopped

with no authentication open:

show authentication sessions interface gi0/3 details
No sessions match supplied criteria.

MHM Cisco World · ‎01-10-2024

see other comment
MHM

MHM Cisco World · ‎01-10-2024

friend ping from VLAN1 to ISE are the ping success ?
the SW VLAN1 and ISE in different subnet
you use default route but you dont use ip routing

this reachablility what make me think so is Authz failed and Auth is only work with auth open and both 802.1x and mab is stopped

MHM

ryanmbess · ‎01-10-2024

Hey MHM,

Reacability isn't the issue. The issue is the switch the endpoint (windows 11) is connected to NEVER attempts to do an epol request to the endpoint if authentication open is NOT enabled.

I should be able to just plug in a printer (for example) and the switch should see the interface go link up and that should trigger the 802.1x authenticaiton where the interface attempts to do an epol start. BUT becuase it's a printer, there's no suplicant running, the 802.1x shoudl time out and it should then resort to MAB. With the port NOT set to authentication open this process doesn't happen. That's what i'm trying to troubleshoot...why do i never see the switch attempting an epol start.

MHM Cisco World · ‎01-10-2024

Yes it not start 892.1x but at least it start MAB
for PC both are show stopped
did you check ping server using vlan ?
MHM

ryanmbess · ‎01-10-2024

yup ping works.

#ping 172.255.255.251 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.255.255.251, timeout is 2 seconds:
Packet sent with a source address of 172.255.254.3
!!!!.
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/4 ms

MHM Cisco World · ‎01-10-2024

1-debug dot1x packet
then disable it and enable below
2- debug dot1x error
share it

MHM

ryanmbess · ‎01-10-2024

Appreciate your willingness to help. I'm going to move on and accept that it's something with the virtual setup. Ultimately do i understand correctly that anything that i plug in the switch (on an 802.1x enabled port) should do an epol start with that endpoint, go through it's 802.1x stuff, realize the endpoint doesn't have a supplicant and then switch to MAB.

MHM Cisco World · ‎01-10-2024

you are correct
it must switch to MAB and send MAC of PC to ISE (AAA server), if you dont see anything in debug
then sure there is issue with virtual LAB
your config is correct and must the SW send packet to ISE
MHM

ryanmbess · ‎01-10-2024

Thanks...just gonna move on to posturing/profiling etc. We are working on getting physicla gear for a lab at work so should be able to test on real equipment soon.

Again thanks for chiming in on everything. Have a good day.

MHM Cisco World · ‎01-10-2024

you are so welcome
have a nice day to you

MHM