Authorization failed or unapplied for client on Legacy ISBN config

tadewole · ‎06-07-2022

I am trying to ISE a WS-C3560V2-48PS switch on SW Version 15.0(2)SE1: After applying my configuration, I get the following result:

#show authentication sessions interface fastEthernet 0/1
Interface: FastEthernet0/1
MAC Address: 0cxx.25a7.867f
IP Address: 172.16.12.xxx
User-Name: 0C-xx-25-A7-86-7F
Status: Authz Failed
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC100C0200000022001A44FA
Acct Session ID: 0x00000033
Handle: 0x36000023

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

==============================================================================================

This is my global configuration:

logging source-interface vlan1
ip radius source-interface vlan1
snmp-server trap-source vlan1
!
aaa new-model
!
radius server cise1
address ipv4 172.xx.1.xxx auth-port 1645 acct-port 1646
automate-tester username isetest
key cisco123
!
radius server cise2
address ipv4 172.xx.1.xxy auth-port 1645 acct-port 1646
automate-tester username isetest
key cisco123
!
radius server cise1+PAC
address ipv4 172.xx.1.xxx auth-port 1812 acct-port 1813
key cisco123
!
radius server cise2+PAC
address ipv4 172.xx.1.xxy auth-port 1812 acct-port 1813
key cisco123
!
aaa group server radius ise-group
server name cise1
server name cise2
!
aaa group server radius ise-group+PAC
server name cise1+PAC
server name cise2+PAC
!
aaa authentication enable default enable
aaa authentication dot1x default group ise-group
aaa authentication dot1x authc-dot1x group ise-group
aaa authorization network default group ise-group
aaa authorization network cts-mlist group ise-group+PAC
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update newinfo periodic 400
aaa accounting auth-proxy default start-stop group ise-group

aaa accounting dot1x default start-stop group ise-group
aaa accounting network acct-net start-stop group ise-group
aaa accounting system default start-stop group ise-group
!
aaa server radius dynamic-author
client 172.xx.1.xxx server-key cisco1x3
client 172.xx.1.xxy server-key cisco1x3
server-key cisco1x3
auth-type any
!
aaa session-id common
!
device-sensor filter-list dhcp list TLV-DHCP
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
!
device-sensor filter-list lldp list TLV-LLDP
tlv name port-id
tlv name time-to-live
tlv name port-description
tlv name system-name
tlv name system-description
tlv name system-capabilities
tlv name management-address
tlv name chassis-id
tlv name time-to-live

device-sensor filter-spec dhcp include list TLV-DHCP
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes

epm logging
authentication mac-move permit
access-session template monitor
access-session acl default passthrough
!
dot1x system-auth-control
dot1x critical eapol
!
lldp run
cdp run
!
no macro auto monitor
access-session template monitor
!
ip access-list extended ACL-DEFAULT
permit icmp any any
permit udp any any
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
permit tcp any host 172.xx.1.xxx eq www
permit tcp any host 172.xx.1.xxy eq www
permit tcp any host 172.xx.1.xxx eq 443
permit tcp any host 172.xx.1.xxy eq 443
permit tcp any host 172.xx.1.xxx eq 8443
permit tcp any host 172.xx.1.xxy eq 8443
deny ip any any
ip access-list extended ACL-WEBAUTH_REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended BLACKHOLE
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended GUEST-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any any eq 8443
deny udp any any eq 8905
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
!
ip http server
ip http secure-server
!
logging host 172.xx.1.xxx transport udp port 20514
logging host 172.xx.1.xxy transport udp port 20514
!
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.xx.1.xxx version 2c xxxxxxxxxxxxxxxxxx
snmp-server host 172.xx.1.xxy version 2c xxxxxxxxxxxxxxxxxx
!
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 3
radius-server deadtime 30
!
mac address-table notification change interval 0
mac address-table notification change
mac address-table notification mac-move

radius server smscise1
address ipv4 172.xx.1.xxx auth-port 1645 acct-port 1646
automate-tester username isetest
key cisco1x3
!
radius server smscise2
address ipv4 172.xx.1.xxy auth-port 1645 acct-port 1646
automate-tester username isetest
key cisco1x3
!
radius server smscise1+PAC
address ipv4 172.xx.1.xxx auth-port 1812 acct-port 1813
key cisco1x3
!
radius server smscise2+PAC
address ipv4 172.xx.1.xxy auth-port 1812 acct-port 1813
key cisco1x3
!
end

============================================================================================

My interface configuration is

interface Fa0/1
switchport mode access
switchport voice vlan 1
ip device tracking maximum 10
snmp trap mac-notification change added
snmp trap mac-notification change removed
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
ip access-group ACL-DEFAULT in

===============================================================================================

This is my debug log:

Jun 7 12:47:04.236: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
Jun 7 12:47:05.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Jun 7 12:47:06.375: %ILPOWER-7-DETECT: Interface Fa0/1: Power Device detected: IEEE PD
Jun 7 12:47:06.736: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Jun 7 12:47:07.298: %ILPOWER-5-POWER_GRANTED: Interface Fa0/1: Power granted
Jun 7 12:47:11.349: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
Jun 7 12:47:12.356: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Jun 7 12:47:24.385: %AUTHMGR-5-START: Starting 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:47:24.562: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:47:24.562: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:47:24.562: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:47:24.562: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:47:24.562: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:47:24.562: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE
Jun 7 12:48:25.044: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:48:25.044: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:48:25.044: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:48:25.044: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:48:25.044: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:48:25.044: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE
Jun 7 12:49:25.778: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:49:25.778: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:49:25.778: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:49:25.778: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:49:25.778: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:49:25.778: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE
Jun 7 12:50:26.496: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:50:26.504: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:50:26.504: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:50:26.504: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:50:26.504: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:50:26.504: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE
Jun 7 12:51:27.222: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:51:27.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:51:27.230: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:51:27.230: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:51:27.230: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:51:27.230: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE
Jun 7 12:52:28.014: %MAB-5-SUCCESS: Authentication successful for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:52:28.014: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:52:28.014: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.25a7.867f) on Interface Fa0/1 AuditSessionID AC100C02000000290030363B
Jun 7 12:52:28.014: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT APPLY
Jun 7 12:52:28.014: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-5adf9fdc| EVENT DOWNLOAD-REQUEST
Jun 7 12:52:28.023: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC xxxx.25a7.867f| AuditSessionID AC100C02000000290030363B| AUTHTYPE DOT1X| EVENT REMOVE

================================================================================================

Kindly assist in pointing out what I need to modify in configuration for it to work

Damien Miller · ‎06-07-2022

I've seen this happen when the voice vlan is missing on a port and we send a voice authorized result, but also when the voice and data vlan are the same. It looks like the voice and data vlan might be the same vlan 1 in your case.

I'm not 100% moving to two vlans will fix your specific authz issue, it's a hunch right now. But either way, it's not recommended to use the same vlan for voice and data, there have been many switch bugs related to this in the past.

tadewole · ‎06-14-2022

Hello Damien,

Thank you for your insight; however I do have some switches that are using only one VLAN for voice and data on my network, that are not having the same issue. The only difference is that those switches are able to run ISBN 2.0 while this is running the legacy ISBN configuration.