03-20-2018 03:28 PM - edited 02-21-2020 10:51 AM
Hello experts,
I am getting the following error when I use dot1x with local user authen on ISE.
Switchport configuration is below:
inter gig1/0/9
switchport
switchport mode access
switchport voice vlan 221
authen port-control auto
authen hsot-mode multi-auth
authen order mab dot1x
authen priority dot1x mab
mab
dot1x pae authen
exit
after trying a few times it registers with MAB authen which I dont want. the vlan is downloaded from Dacl.
I need to solve this issue ASAP, please can someone help in this regards. Im new to ISE so if you need any further info please let me know.
thanks in advance.
Regards,
Adnan
03-21-2018 08:40 AM
Hi,
Below is the output of "show authen session inter gig1/0/14" for the TCP dump file I will create it in a while and share with you.
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14 0050.56ae.231b mab DATA Auth 0A640816000000EB16BE55B0
Gi1/0/14 5000.0017.0000 mab DATA Unauth 0A640816000000EE16BF081C
Gi1/0/14 346f.9016.d825 mab VOICE Auth 0A640816000000EC16BEA5F8
Gi1/0/14 5000.0002.0000 mab DATA Auth 0A640816000000ED16BEE903
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
6 5 dot1x
20 10 mab
18 15 webauth
03-21-2018 08:46 AM
The output should look like this:
LAB-SWI#show authentication sessions interface fastEthernet 0/3
Interface: FastEthernet0/3
MAC Address: 000c.298b.4567
IP Address: 192.168.11.101
User-Name: host/WIN7-PC.network.local
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A0100000B4B244D0EA1
Acct Session ID: 0x00000B52
Handle: 0xF9000B4C
Runnable methods list:
Method State
dot1x Authc Success
What you provided it not what I was looking for. What switch model and version are you running? Are you sure you run the correct command as I specified? I can get the same output as you provided but using the command "show authentication interface fas 0/3" but that is not what I want to see.
03-21-2018 11:03 AM
Hi,
Yes I have configured globally "dot1x system-auth-control".
For me I have 3750 E with 15.2 ios version. So the following output I gets when I say "show authen session inter gig1/0/14"
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14 0050.56ae.231b mab DATA Auth 0A640816000000EB16BE55B0
Gi1/0/14 0050.56ae.d5b5 mab DATA Auth 0A640816000000F016D9EA2D
Gi1/0/14 5000.0017.0000 mab DATA Unauth 0A640816000000EE16BF081C
Gi1/0/14 346f.9016.d825 mab VOICE Auth 0A640816000000EC16BEA5F8
Gi1/0/14 5000.0002.0000 mab DATA Auth 0A640816000000ED16BEE903
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
6 5 dot1x
20 10 mab
18 15 webauth
03-21-2018 11:12 AM
From your previous output you cannot see dot1x under the method status list, that would indicate to me it wasn't run.
Method status list:
Method State
mab Authc Success
Set the authentication order to be dot1x then mab, try again.
A packet capture on the radius server would indicate whether dot1x was run or not. Also runnning a debug on the switch at the same time you attempt to authenticate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide