Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2678
Views
2
Helpful
15
Replies

EVE-NG MAB not Working as expected

ryanmbess
Level 1
Level 1

‎01-09-2024 07:36 PM

i'm attempting to learn ISE.  To start i'm working on the basics of just getting windows endpoints authenticated and authorized in ISE via 802.1x using Peap (EAP-MSCHAPv2) and Mab.  I have 3 windows 11 PCs hooked into my lab and 2 of them have the suplicant enabled and the third doesn't.  The two that have the supplicant enabled do eap just fine and are properly authenticated/authorized.  For the one that doesn't when i do pcaps on the link, with the below config i NEVER see the switch attempt an epol request to the endpoint.  I've shut no shut the interface countless times and nothing.  The only way i can get MAB to work is by enabling authentication open.  Even still, the switch doesn't do any sort of epol start request against the windows 11 endpoint.  Is anyone else seeing this in their labs?  I have dot1x system-auth-control enable.  Any ideas?

Images attempted:

1. Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version 15 .2(CML_NIGHTLY_20180510)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 10-May-18 02:45 by mmen

2. Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 29-Sep-20 11:53 by sweickge

 

 

 

switch config:

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw
!
boot-start-marker
boot-end-marker
!
!
enable password password
!
username admin privilege 15 password 0 password
aaa new-model
!
!
aaa group server radius ise-group
server name ise
ip radius source-interface Vlan1
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 172.255.255.251 server-key Iseradius
!
aaa session-id common
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option number 50
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list lldp-list
tlv name chassis-id
tlv name management-address
tlv number 28
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv number 34
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor accounting
device-sensor notify all-changes
!
!
!
!
!
!
!
!
ip domain-name lab.com
ip name-server 172.255.255.250
ip device tracking probe auto-source
ip cef
no ipv6 cef
!
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
description Win11-1
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description Win11-2
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
description Win11-1
switchport mode access
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Vlan1
ip address 172.255.254.3 255.255.255.0
!
ip default-gateway 172.255.254.1
ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 172.255.254.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
ip radius source-interface Vlan1
!
!
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 3
!
radius server ise
address ipv4 172.255.255.251 auth-port 1812 acct-port 1813
key Iseradius
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
!
end

Labels:
0 Helpful
15 Replies 15

A/Rachid Mechakra
Level 1
Level 1

‎02-17-2025 01:52 PM - edited ‎02-17-2025 01:53 PM

The main issue is the virtual lab. The workaround for your case is to use the legacy configuration command when you need to connect with radius server:

replace the following configuration:

radius server ise
address ipv4 172.255.255.251 auth-port 1812 acct-port 1813
key Iseradius
!
aaa group server radius ise-group
server name ise
ip radius source-interface Vlan1
!
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
!
with this configuration:
radius-server host 172.255.255.251 auth-port 1812 acct-port 1813 key Cisco
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius

It should work for you because it did with me (I'm using eve-ng except ISE, it's deployed on VM):

Switch#show authentication sessions

Interface MAC Address Method Domain Status Session ID
Et0/0 5001.0003.0000 dot1x DATA Authz Success C0A80AFD000000050016111A

Good luck

 

0 Helpful
Customers Also Viewed These Support Documents