cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16089
Views
0
Helpful
4
Replies

Authentication result 'no-response' from 'mab'

CSchaatsbergen
Level 1
Level 1

Greetings all,

Another department, another problem. Basically we are trying to set up mab based authentication and if a client mac is not known, the port should remain shut.

Configuration: WS-C2960-24TC-L with IOS 12.2(55)SE1 authenticating against freeRadius (2.1.10)

Excerpt from running config

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting network default start-stop group radius
!

dot1x system-auth-control
!
interface GigabitEthernet0/19
switchport mode access
switchport voice vlan 2
authentication event fail retry 0 action authorize vlan 999
authentication event server dead action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
spanning-tree portfast
!
radius-server dead-criteria tries 1
radius-server host 10.2.1.33 auth-port 1812 acct-port 1813
radius-server timeout 10
radius-server key 7 xxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

Now if I connect a Notebook to port Gi0/19 freeRadius sends a reject, but the port gets authorized on VLAN 1 (we are also trying to get the data on another vlan). VLAN 999 does not exist, I tried running this configuration without the authentication event fail and with existing other vlan but with same outcome.

Excerpt from debugging (full debug log attached)

001608: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Black Listed Mac Address 0026.5588.491c on vlan 1
001609: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Received notification for 0026.5588.491c in domain DATA
001610: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_mac_address_notify: MAC 0026.5588.491c on GigabitEthernet0/19(1) consumed by MDA. termi
001611: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
001612: .Mar 11 07:59:19: %AUTHMGR-5-START: Starting 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001613: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
001614: .Mar 11 07:59:20: %MAB-5-FAIL: Authentication failed for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001615: .Mar 11 07:59:20: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001616: .Mar 11 07:59:20: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001617: .Mar 11 07:59:20: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001618: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: DATA
001619: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Authentication failure due to non-responsi
001620: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Activating guest VLAN 1
001621: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) PM Actions: Setting vlan 1 in DATA domain
001622: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Assigning dynamic vlan = 1 on port GigabitEthernet0/19
001623: .Mar 11 07:59:20: %AUTHMGR-5-VLANASSIGN: VLAN 1 assigned to Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

...

001631: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Authorizing vp DATA, isLast is 1
001632: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_port_vp_authorized: GigabitEthernet0/19 vp authorized in domain DATA, isLast i
001633: 4w1d: AUTH-FEAT-VOICE-EVENT (Gi0/19) No transit entry
001634: .Mar 11 07:59:21: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001635: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Checking data packet allowed, mac 0026.5588.491c, vlan
001636: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS

...

001827: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_dot1x_sub_feature_permits_pkt: Guest VLAN is active and MAC 0026.5588.491c arrived on da
001828: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_is_interested_in_mac: Not interested in unsecured 0026.5588.491c(1) on GigabitEthernet0/19
001829: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS

So we ended up with a lot of questions and unable to find any answers on the net that make sense.

Can anyone see what went wrong?

Thanks in advance,

Chris Schaatsbergen

1 Accepted Solution

Accepted Solutions

mansrini
Level 1
Level 1

Hello,

This is happening because you have guest vlan configured.. You could remove the command ' authentication even no-response action authorize vlan 1' to achieve the result you want. Guest vlan is meant to allow unknown users/ mac on the network through the guest vlan.

Let me know if this helps

Thanks,

Mani

View solution in original post

4 Replies 4

mansrini
Level 1
Level 1

Hello,

This is happening because you have guest vlan configured.. You could remove the command ' authentication even no-response action authorize vlan 1' to achieve the result you want. Guest vlan is meant to allow unknown users/ mac on the network through the guest vlan.

Let me know if this helps

Thanks,

Mani

Hi Mani,

Thanks for your answer, unfortunately we can test it only tomorrow but it does sound promissing.

Chris

Indeed, it was the right answer, thanks!

Dear Valued Cisco Customer,

I will be out of the office from 03/20/2010 until 04/04/2010. During

this time, I will have no access to email or voicemail. If you require

assistance during my absence, please contact Manivannan Srinivasan via

phone at 469-255-4806 or via email at mansrini@cisco.com and this

engineer will continue to work any immediate concerns you may have at

this time. If this issue can wait until my return on 04/05/2010, I will

be glad to continue working with you. If you require assistance outside

of our business hours (10:00am - 7:00pm CST), please contact the TAC by

calling 1800-553-2447 or email tac@cisco.com and request to have the

service request re-assigned.

Best Regards,

Abhishek Neelakanata

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: