06-24-2019 08:40 AM
Hi,
Could you help me clarifying the below:
1) MAB and 802.1x authentication methods for Alcatel switch 6250 did not work well.
Basically, If the Alcatel switch authenticates the endpoint with method MAB against the ISE internal database, it will not include the MAC address of the endpoint to the calling-station-ID attribute. The ISE shows in the Real time logs the identity field of the user as a MAC address, but the Endpoint MAC address is blank... From the detailed report we are able to see, that the MAB authentication was detected by ISE correctly (host lookup).
What is happening?
2)
Due to our configuration of the policy set we are comparing the endpoint custom attribute named "LOCATION" against the attribute of NAD "software version" - If those attributes matched, we will allow the endpoint to connect to the network. This is not working in Alcatel 6250 case. We see, that the ISE is trying to retrieve the custom endpoint attribute of "LOCATION" twice but with no success. This seem to be a problem of radius-process-flow of ISE. Which received RADIUS attribute is being used for the query to internal endpoint database?
3) Also the Alcatel switch did not send the MAC address in calling-station-id for the RADIUS accounting and the ISE dropped all the accounting packets with a reason of "malformed ...." This is generating 6 repetitive messages and will not scale well in the future deployment.
The questions are:
1. What is the official statement about supporting of Alcatel devices? We saw that the official statement from the Cisco said that the tested platform is 6850.
2. We have to know, why the custom endpoints attributes are not retrieved from internal database of ISE during the MAB authentication.
a. We know that the Alcatel platform 6250 did not utilize the calling-station-ID attribute
b. But we know that Cisco ISE detected the MAB request as Host lookup and is also to able to successfully authenticate the MAC against the internal database.
Thanks,
-Michal
06-24-2019 08:52 AM
06-24-2019 09:19 AM
Removed from PM.
06-29-2019 04:36 PM
To me, all these seem expected. When the NAD not sending the MAC address of the endpoint as the calling station, ISE would not be able to look it up for attributes. The MAB authentication in the associated NAD profile is to check the password via CHAP.
If you have not got other responses, then I will confirm it with others in our teams.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide