cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

114
Views
10
Helpful
5
Replies
Beginner

Authentication method ISE 2.4

Can someone please explain why the authentication details report shows the authentication method is mab, but the switch shows as dot1x ? The phone's Mac is part of the mab list but the PC is part of AD.dot1x showing as Mab.JPG

2 ACCEPTED SOLUTIONS

Accepted Solutions
Rising star

Re: Authentication method ISE 2.4

Can you share your interface configs? Can you also share the output of:
#show auth sess int g4/0/34 detail
My assumption is that you have configured something along these lines:
#authentication host-mode multi-auth
This lets you authenticate a client for voice vlan and several authenticated clients on data vlan.
OR
#authentication host-mode multi-domain
This lets you authenticate a host and voice device on an 8021x authenticated port.
Have you attempted to clear auth, then check the ISE live logs again to see if that has changed? Very strange.
Beginner

Re: Authentication method ISE 2.4

The only thing that would make sense is that it is authenticating with MAB first and then 802.1x is kicking in and authenticating that way.  ISE Radius Live Logs probably shows both authentications as succeeded.  Check the Live Logs and filter on the Endpoint ID (MAC Address).  This would happen if your interface configuration is setup to do MAB first with the command "authentication order mab dot1x".  And then you probably have "authentication priority dot1x mab" which means that it will do MAB but if an EAPOL frame is seen from the client, the switch will stop MAB immediately and start the dot1x process.

 

If you are doing IBNS 2.0, then the configuration is probably trying both MAB and 802.1x at the same time.  Again, verify your ISE Live Logs to see if there are multiple entries for the same MAC address (Endpoint ID).

5 REPLIES 5
Rising star

Re: Authentication method ISE 2.4

Can you share your interface configs? Can you also share the output of:
#show auth sess int g4/0/34 detail
My assumption is that you have configured something along these lines:
#authentication host-mode multi-auth
This lets you authenticate a client for voice vlan and several authenticated clients on data vlan.
OR
#authentication host-mode multi-domain
This lets you authenticate a host and voice device on an 8021x authenticated port.
Have you attempted to clear auth, then check the ISE live logs again to see if that has changed? Very strange.
Beginner

Re: Authentication method ISE 2.4

Thanks for the quick reply, Mike.

Here is the output of show auth
#show auth sess int g4/0/34 detail
Interface: GigabitEthernet4/0/34
IIF-ID: 0x469B67B0
MAC Address: a44c.c86e.5226
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: domain\user
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A166419000007A301B881B3
Acct Session ID: 0x000007d6
Handle: 0x72000799
Current Policy: POLICY_Gi4/0/34


Server Policies:
Security Policy: None
Security Status: Link Unsecured


Method status list:
Method State
mab Stopped
dot1x Authc Success

----------------------------------------

Interface: GigabitEthernet4/0/34
IIF-ID: 0x4B18BE9A
MAC Address: c4b9.cdb5.4b1c
IPv6 Address: Unknown
IPv4 Address: x.x.x.x
User-Name: C4-B9-CD-B5-4B-1C
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 000000000000008943C9F979
Acct Session ID: 0x00000022
Handle: 0xc700007f
Current Policy: POLICY_Gi4/0/34


Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3


Method status list:
Method State
mab Authc Success
Rising star

Re: Authentication method ISE 2.4

For the data host what supplicant are you using? What type of EAP protocol are you using for 8021x? What was your result of running clear auth sess int g4/0/34? Do the ISE logs still report same weirdness?
Beginner

Re: Authentication method ISE 2.4

The only thing that would make sense is that it is authenticating with MAB first and then 802.1x is kicking in and authenticating that way.  ISE Radius Live Logs probably shows both authentications as succeeded.  Check the Live Logs and filter on the Endpoint ID (MAC Address).  This would happen if your interface configuration is setup to do MAB first with the command "authentication order mab dot1x".  And then you probably have "authentication priority dot1x mab" which means that it will do MAB but if an EAPOL frame is seen from the client, the switch will stop MAB immediately and start the dot1x process.

 

If you are doing IBNS 2.0, then the configuration is probably trying both MAB and 802.1x at the same time.  Again, verify your ISE Live Logs to see if there are multiple entries for the same MAC address (Endpoint ID).

Highlighted
Cisco Employee

Re: Authentication method ISE 2.4

Thank you both Mike and Colby. Nice suggestions.

 

-Krishnan