03-29-2011 03:25 AM - edited 03-10-2019 05:57 PM
I got problem with testing 802.1x MDA. The AUTH-MGR notified me with weird error messages.
*Mar 1 06:41:05.610: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
*Mar 1 06:41:17.470: %AUTHMGR-5-START: Starting 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87
*Mar 1 06:41:17.470: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'
*Mar 1 06:41:17.758: %MAB-5-SUCCESS: Authentication successful for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87
*Mar 1 06:41:17.763: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87
*Mar 1 06:41:17.763: %AUTHMGR-5-FAIL: Authorization failed for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87*
*Mar 1 06:42:18.402: %MAB-5-SUCCESS: Authentication successful for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87
*Mar 1 06:42:18.408: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87
SW-DOT1X#sh authentication int g
*Mar 1 06:42:18.408: %AUTHMGR-5-FAIL: Authorization failed for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E871/0/13
Client list:
Interface MAC Address Method Domain Status Session ID
Gi1/0/13 a8b1.d4fb.4dc9 mab DATA Authz Failed 0A6464C80000000D016F2E87
Available methods list:
Handle Priority Name
3 0 dot1x
2 1 mab
Runnable methods list:
Handle Priority Name
2 0 mab
3 1 dot1x
SW-DOT1X#sh authentication session int g1/0/13
Interface: GigabitEthernet1/0/13
MAC Address: a8b1.d4fb.4dc9
IP Address: Unknown
User-Name: a8b1d4fb4dc9
Status: Authz Failed
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6464C80000000D016F2E87
Acct Session ID: 0x0000001D
Handle: 0xBC00000D
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
===================================================================================
interface GigabitEthernet1/0/13
switchport access vlan 50
switchport mode access
switchport voice vlan 60
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end
On ACS
Configure RADIUS IETF attributes already
- 64/65/81 and cisco-av-pair
03-29-2011 12:44 PM
Does VLAN 50 exist on the switch in question? It looks like your MAB authentication is successful so you should be good so long as vlan60 exists on the switch. We return a VLAN name/number from RADIUS with authentication requests (MAB and non-MAB authentication requests) to allow for dynamic VLAN switching based upon the user credentials or MAC (replaces our old VMPS based solution). If the VLAN name/number doesn't exist on the switch we get the Authorization Failure ("Authz Failed" status).
Also if your running in MBA mode you'll need to make sure you return the something like the following if the device is an IP phone:
cisco-avpair = "device-traffic-class=voice"
Tunnel-Type=1:VLAN
Tunnel-Medium-Type=1:Ether_802
Tunnel-Private-Group-ID=1:VOICE-LAN
If your not doing IP phone dot1x authentication, then you don't need to be running in MDA mode. Get rid of that and just configure the port for multi-host or single host mode.
--greg
03-31-2011 12:55 PM
Thank you for reply, Greg
I change some configuration on the switch and IP Phone can authenticated with MAB and get the authorized on that port but when i showed the command "show dot1x int g1/0/13" the status on that port is UNAUTHORIZED.
========================================================================================
sh authen sess int g1/0/13
Interface: GigabitEthernet1/0/13
MAC Address: d0d0.fd70.e70b
IP Address: Unknown
User-Name: d0d0fd70e70b
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 130
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A080E4C0000009C43BE8EC5
Acct Session ID: 0x000004DD
Handle: 0xC100009C
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
sh dot1x int f0/13 detail
Dot1x Info for FastEthernet0/13
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
========================================================================================
interface GigabitEthernet1/0/13
switchport access vlan 50
switchport mode access
switchport voice vlan 60
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host X.X.X.X auth-port 1812 acct-port 1813 key cisco
radius-server vsa send authentication
========================================================================================
For your last paragraph
If your not doing IP phone dot1x authentication, then you don't need to be running in MDA mode. Get rid of that and just configure the port for multi-host or single host mode.
What do you mean? i don't understand why you said i don't have to running in MDA mode. Because when i removed the MDA mode and do not configure cisco-av-pair attribute on ACS the switch will send an error like this
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface interface GigabitEthernet1/0/13, new MAC address (0080.647f.c590) is seen.
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface interface GigabitEthernet1/0/13, new MAC address (0080.647f.c590) is seen.
%PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/13, putting Gi1/0/13 in err-disable state
03-31-2011 01:30 PM
Didn't see that you were using an IP phone for testing with before. So you have your radius server set to send for something like the following when the it does a MAB authentication (from your config the port will try to login with MAB first before dot1x):
Username=d0d0.fd70.e70b
cisco-avpair = "device-traffic-class=voice"
Tunnel-Type=1:VLAN
Tunnel-Medium-Type=1:Ether_802
Tunnel-Private-Group-ID=1:130
What switch model and IOS version are you using? We were experiencing a port-security error that would err-disable the port like you have listed. We got a bug filed for it and it was resolved for us in 12.2(55)SE on the 3750v2-48PS.
Have you looked at this guide at all:
That guide came out basically right after I figured all of this out without a single source document like the above. It give very good details of how to go through and configure all of this.
We authenticate our 7942G/7962G/7975G phones via the built-in MIC with EAP-TLS, and our clients behind the phones with EAP-PEAPv0. We are using OSC Radiator for our radius server instead of ACS.
This is what we use for our basic dot1x port configs via a macro:
testswitch-03#sh parser macro name DOT1X-VOIP
Macro name : DOT1X-VOIP
Macro type : customizable
switchport mode access
switchport access vlan 257
switchport voice vlan 258
cdp enable
cdp tlv server-location
cdp tlv app
speed auto
duplex auto
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
authentication event fail retry 3 action authorize vlan 257
authentication event no-response action authorize vlan 257
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
switchport port-security
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
storm-control broadcast level 10.00
storm-control multicast level 50.00
storm-control action trap
auto qos voip cisco-phone
--greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide