03-20-2018 03:28 PM - edited 02-21-2020 10:51 AM
Hello experts,
I am getting the following error when I use dot1x with local user authen on ISE.
Switchport configuration is below:
inter gig1/0/9
switchport
switchport mode access
switchport voice vlan 221
authen port-control auto
authen hsot-mode multi-auth
authen order mab dot1x
authen priority dot1x mab
mab
dot1x pae authen
exit
after trying a few times it registers with MAB authen which I dont want. the vlan is downloaded from Dacl.
I need to solve this issue ASAP, please can someone help in this regards. Im new to ISE so if you need any further info please let me know.
thanks in advance.
Regards,
Adnan
03-20-2018 04:24 PM
Do you have the problem with all computers/users or just one/some?
Try changing the order, run dot1x before mab authentication order dot1x mab
If dot1x authentication fails then the client is probably not matching against the rules you've defined in the policy.
03-21-2018 07:03 AM
Hi RJI,
Thanks for your reply.
Actually I have a phone and through that I have one mab pc and other dot1x pc connected. So on the same port mab pc gets authenticated but for dot1x it is not and gives that error. I have a local user defined on ISE which I use for authentication. But it doesnt authenticate and gives the error.
I will check it with order dot1x mab on the port and paste the result here today.
Regards,
Adnan
03-21-2018 07:18 AM
Hi Adnan, Can you post a screenshot of your Authorization rules from the policy set please?
03-21-2018 07:48 AM
03-21-2018 07:55 AM
03-21-2018 08:05 AM
It is a user identity group. I have created a user and then called this group in that user. Below are the "show authen session details" in the attached Pic 6.
The first one PC is using Dot1x authen with local user defined on ISE. it fail and then the MAC is learnt by the ISE and authenticates it with MAC.
I want it to be authenticated with Dot1x.
Regards,
Adnan
03-21-2018 08:10 AM
03-21-2018 08:18 AM
03-21-2018 08:21 AM
03-21-2018 08:29 AM
Below is the output.
Interface: GigabitEthernet1/0/14
MAC Address: 0050.56ae.231b
IPv6 Address: Unknown
IPv4 Address: 192.168.216.216
User-Name: 00-50-56-AE-23-1B
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640816000000A212D73754
Acct Session ID: Unknown
Handle: 0xFE00008B
Current Policy: POLICY_Gi1/0/14
Local Policies:
OPEN DIR ACL: Open-Dir-ACL
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 0050.56ae.d5b5
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 00-50-56-AE-D5-B5
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640816000000AA12FBE3C1
Acct Session ID: Unknown
Handle: 0x98000093
Current Policy: POLICY_Gi1/0/14
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 5000.0017.0000
IPv6 Address: Unknown
IPv4 Address: 10.100.8.4
User-Name: 50-00-00-17-00-00
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640816000000A512D7AB86
Acct Session ID: Unknown
Handle: 0xE700008E
Current Policy: POLICY_Gi1/0/14
Local Policies:
OPEN DIR ACL: Open-Dir-ACL
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Method status list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 346f.9016.d825
IPv6 Address: Unknown
IPv4 Address: 10.100.215.10
User-Name: 34-6F-90-16-D8-25
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640816000000A412D7A8A3
Acct Session ID: Unknown
Handle: 0x9B00008D
Current Policy: POLICY_Gi1/0/14
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910
Method status list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet1/0/14
MAC Address: 5000.0002.0000
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 50-00-00-02-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A640816000000A612D7ECED
Acct Session ID: Unknown
Handle: 0x2E00008F
Current Policy: POLICY_Gi1/0/14
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Method status list:
Method State
mab Authc Success
03-21-2018 08:51 AM
Ok, it hasn't even run dot1x on that interface.
Do you have dot1x system-auth-control configured globally?
03-21-2018 11:05 AM
Hi,
Yes I have configured globally "dot1x system-auth-control".
For me I have 3750 E with 15.2 ios version. So the following output I gets when I say "show authen session inter gig1/0/14"
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14 0050.56ae.231b mab DATA Auth 0A640816000000EB16BE55B0
Gi1/0/14 0050.56ae.d5b5 mab DATA Auth 0A640816000000F016D9EA2D
Gi1/0/14 5000.0017.0000 mab DATA Unauth 0A640816000000EE16BF081C
Gi1/0/14 346f.9016.d825 mab VOICE Auth 0A640816000000EC16BEA5F8
Gi1/0/14 5000.0002.0000 mab DATA Auth 0A640816000000ED16BEE903
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
6 5 dot1x
20 10 mab
18 15 webauth
03-21-2018 08:31 AM
Below is the is the authen detail on inter gig10/14, for TCP dump i dont have it now but I can get it.
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14 0050.56ae.231b mab DATA Auth 0A640816000000A212D73754
Gi1/0/14 0050.56ae.d5b5 mab DATA Auth 0A640816000000AA12FBE3C1
Gi1/0/14 5000.0017.0000 mab DATA Unauth 0A640816000000A512D7AB86
Gi1/0/14 346f.9016.d825 mab VOICE Auth 0A640816000000A412D7A8A3
Gi1/0/14 5000.0002.0000 mab DATA Auth 0A640816000000A612D7ECED
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
6 5 dot1x
20 10 mab
18 15 webauth
03-21-2018 08:36 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide