Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
1
Replies

2960S - 15.0(2)SE MAB Issue

zztopping
Level 4
Level 4

‎01-04-2013 01:23 PM - edited ‎03-10-2019 07:56 PM 

We have a Cisco 2960S configured for TrustSec (802.1x+MAB), with several
workstations/users connected to it through their Cisco IP Phones. The users are using
802.1x and their phones are being MAB'd.

Intermittently, the MAB functionality seems to stall, see by the output below. The issue
is not isolated to a given port, but does not occur on other switches (3560Gs) in the environment.
This switch is running 15.0(2)SE

Authentication Session command does not show a phone, only a workstation:
NFF-Cat2960S-off#sh authen sess int gi1/0/13
            Interface:  GigabitEthernet1/0/13
          MAC Address:  082e.5f86.4345
           IP Address:  192.168.1.111
            User-Name:  <removed>
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  10
              ACS ACL:  xACSACLx-IP-ACL-PERMITALL-50bfa391
      Session timeout:  14400s (server), Remaining: 14353s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  C0A8011600000F4AFC60371C
      Acct Session ID:  0x000010D5
               Handle:  0xD6000F4B

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

CAM shows the phone as connected and communicating (even after a shut/noshut):
NFF-Cat2960S-off#sh mac add int gi1/0/13
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    082e.5f86.4345    STATIC      Gi1/0/13
  10    e804.6212.9903    DYNAMIC     Gi1/0/13
  20    e804.6212.9903    DYNAMIC     Gi1/0/13
Total Mac Addresses for this criterion: 3

Interface Configuration: (same as others on this switch and others)
interface GigabitEthernet1/0/13
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 20
 ip access-group ACL-DEFAULT in
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 10
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 10
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end



Phone has DHCP, but traffic is being blocked by ACL-DEFAULT, as the switch is not
performing MAB to download a more permissive dACL:
Jan  2 15:21:10.365 EST: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp
192.168.20.77(49858) -> 192.168.20.5(2000), 1 packet

Finally, the switch is reporting that MAB on this port is in an ACQUIRING state, even though the MACs are discovered:

MAB details for GigabitEthernet1/0/13

-------------------------------------

Mac-Auth-Bypass           = Enabled

MAB Client List

---------------

Client MAC                = Waiting

Session ID                = C0A8011600000FB006D7DCEA

MAB SM state              = ACQUIRING

Authen Status             = FAIL

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎01-04-2013 06:16 PM

Hi,

Just out of curiosity can you post your port configuration.

Thanks.


Sent from Cisco Technical Support Android App

0 Helpful
Customers Also Viewed These Support Documents