Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1606
Views
10
Helpful
5
Replies

Authentication method ISE 2.4

Go to solution
BigK
Level 1
Level 1

‎09-05-2019 09:37 AM - edited ‎09-05-2019 09:52 AM

Can someone please explain why the authentication details report shows the authentication method is mab, but the switch shows as dot1x ? The phone's Mac is part of the mab list but the PC is part of AD.dot1x showing as Mab.JPG

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-05-2019 11:06 AM

Can you share your interface configs? Can you also share the output of:
#show auth sess int g4/0/34 detail
My assumption is that you have configured something along these lines:
#authentication host-mode multi-auth
This lets you authenticate a client for voice vlan and several authenticated clients on data vlan.
OR
#authentication host-mode multi-domain
This lets you authenticate a host and voice device on an 8021x authenticated port.
Have you attempted to clear auth, then check the ISE live logs again to see if that has changed? Very strange.

View solution in original post

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-06-2019 06:46 AM

The only thing that would make sense is that it is authenticating with MAB first and then 802.1x is kicking in and authenticating that way.  ISE Radius Live Logs probably shows both authentications as succeeded.  Check the Live Logs and filter on the Endpoint ID (MAC Address).  This would happen if your interface configuration is setup to do MAB first with the command "authentication order mab dot1x".  And then you probably have "authentication priority dot1x mab" which means that it will do MAB but if an EAPOL frame is seen from the client, the switch will stop MAB immediately and start the dot1x process.

 

If you are doing IBNS 2.0, then the configuration is probably trying both MAB and 802.1x at the same time.  Again, verify your ISE Live Logs to see if there are multiple entries for the same MAC address (Endpoint ID).

View solution in original post

5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-05-2019 11:06 AM

Can you share your interface configs? Can you also share the output of:
#show auth sess int g4/0/34 detail
My assumption is that you have configured something along these lines:
#authentication host-mode multi-auth
This lets you authenticate a client for voice vlan and several authenticated clients on data vlan.
OR
#authentication host-mode multi-domain
This lets you authenticate a host and voice device on an 8021x authenticated port.
Have you attempted to clear auth, then check the ISE live logs again to see if that has changed? Very strange.

Go to solution
BigK
Level 1
Level 1
In response to Mike.Cifelli

‎09-05-2019 12:34 PM

Thanks for the quick reply, Mike.

Here is the output of show auth
#show auth sess int g4/0/34 detail
Interface: GigabitEthernet4/0/34
IIF-ID: 0x469B67B0
MAC Address: a44c.c86e.5226
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: domain\user
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A166419000007A301B881B3
Acct Session ID: 0x000007d6
Handle: 0x72000799
Current Policy: POLICY_Gi4/0/34


Server Policies:
Security Policy: None
Security Status: Link Unsecured


Method status list:
Method State
mab Stopped
dot1x Authc Success

----------------------------------------

Interface: GigabitEthernet4/0/34
IIF-ID: 0x4B18BE9A
MAC Address: c4b9.cdb5.4b1c
IPv6 Address: Unknown
IPv4 Address: x.x.x.x
User-Name: C4-B9-CD-B5-4B-1C
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 000000000000008943C9F979
Acct Session ID: 0x00000022
Handle: 0xc700007f
Current Policy: POLICY_Gi4/0/34


Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3


Method status list:
Method State
mab Authc Success
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to BigK

‎09-06-2019 06:26 AM

For the data host what supplicant are you using? What type of EAP protocol are you using for 8021x? What was your result of running clear auth sess int g4/0/34? Do the ISE logs still report same weirdness?
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-06-2019 06:46 AM

The only thing that would make sense is that it is authenticating with MAB first and then 802.1x is kicking in and authenticating that way.  ISE Radius Live Logs probably shows both authentications as succeeded.  Check the Live Logs and filter on the Endpoint ID (MAC Address).  This would happen if your interface configuration is setup to do MAB first with the command "authentication order mab dot1x".  And then you probably have "authentication priority dot1x mab" which means that it will do MAB but if an EAPOL frame is seen from the client, the switch will stop MAB immediately and start the dot1x process.

 

If you are doing IBNS 2.0, then the configuration is probably trying both MAB and 802.1x at the same time.  Again, verify your ISE Live Logs to see if there are multiple entries for the same MAC address (Endpoint ID).

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎09-09-2019 01:29 PM

Thank you both Mike and Colby. Nice suggestions.

 

-Krishnan

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents