Solved: Re: C9200 - MAB set up and not able to ping or access to a shared fold - Page 2

H4MCO.N2RES1 · ‎03-22-2023

Hello,

I just installed a C9200 stack and configured the MAB with a RADIUS server. I added the mac address of my 40 users in the RADIUS, then I activated the MAB the necessary ports.

When I did this 2 days ago everything was fine a priori, but today a user pointed out to me that he couldn't access a shared remote folder on a windows server in the same LAN and that the PING towards this server are KO also

I checked the log in the RADIUS, everything is OK, the mac address is authorized

On the switch the port is OK

#show mac address-table | include ca63
18 d08e.790f.ca63 STATIC Gi1/0/10


#arp -a
192.168.100.246       d0-8e-79-0f-ca-63     dynamique


#show int status | include Gi1/0/18
Gi1/0/10                        connected    18         a-full a-1000 10/100/1000BaseTX

And the server can communicate with the outside (connection on firewall OK)

I tried to debug with no success so I removed the MAB configuration from the port, unplugged/plugged the RJ45 cable and immediately access to the shared folder was OK and ping OK too.

Here's the configuration of my MAB and PORT

aaa new-model
!
!
aaa group server radius rad_access
 server name yyyyyyyyyy
!
aaa authentication dot1x default group radius
aaa authorization network default group radius local
!
!
!
!
!
!
aaa session-id common
vtp mode off
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/10
 switchport access vlan 18
 switchport mode access
 authentication port-control auto
 mab
 spanning-tree portfast
!
radius server yyyyyyyyyy
 address ipv4 192.168.100.248 auth-port 1812 acct-port 1813
 key xxxxxxxxxxxxxxxxx
!

The server has been restarted 2 times before I come to debug without success

Can someone help me to debug this situation please?

Christopher Bell · ‎03-23-2023

Glad it worked. AAA configs are finicky, it always pays to keep them 'clean'.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

H4MCO.N2RES1 · ‎03-23-2023

Here is a tcpdump of my Radius server when I connect the Windows server on switch
The RADIUS reply with an accept.

 tcpdump -i any host 10.200.66.1 or host 192.168.100.246
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:35:46.667183 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:35:47.659892 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:35:48.659845 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:35:59.518984 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:00.509493 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:01.509460 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:03.145967 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:04.139415 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:05.139357 ARP, Request who-has 192.168.100.246 tell XXXXXXFWPP01, length 46
15:36:08.233163 IP 10.200.66.1.58284 > XXXXXXPP01.radius: RADIUS, Access-Request (1), id: 0x0e length: 324
15:36:08.235330 IP XXXXXXPP01.radius > 10.200.66.1.58284: RADIUS, Access-Accept (2), id: 0x0e length: 20
15:36:10.325667 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46
15:36:10.376966 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46
15:36:10.397768 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46
15:36:20.492285 ARP, Request who-has XXXXXXFWPP01 tell 192.168.100.246, length 46




--------------


 tcpdump -nn -e -vvv -i any host 10.200.66.1 or host 192.168.100.246
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:35:46.667175   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:35:47.659881   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:35:48.659838   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:35:59.518973   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:00.509484   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:01.509452   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:03.145959   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:04.139406   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:05.139350   B 00:09:0f:09:00:06 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.246 tell 192.168.100.1, length 46
15:36:08.233156  In 00:09:0f:09:00:06 ethertype IPv4 (0x0800), length 368: (tos 0x0, ttl 63, id 48797, offset 0, flags [none], proto UDP (17), length 352)
    10.200.66.1.58284 > 192.168.100.248.1812: [udp sum ok] RADIUS, length: 324
        Access-Request (1), id: 0x0e, Authenticator: c2384b46d5df7b808958fc374765dc1c
          User-Name Attribute (1), length: 14, Value: d08e790fca63
            0x0000:  6430 3865 3739 3066 6361 3633
          User-Password Attribute (2), length: 18, Value:
            0x0000:  f2cb eeca ab49 ada2 220a 2feb 5d0d 40de
          Service-Type Attribute (6), length: 6, Value: Call Check
            0x0000:  0000 000a
          Vendor-Specific Attribute (26), length: 31, Value: Vendor: Cisco (9)
            Vendor Attribute: 1, Length: 23, Value: service-type=Call Check
            0x0000:  0000 0009 0119 7365 7276 6963 652d 7479
            0x0010:  7065 3d43 616c 6c20 4368 6563 6b
          Framed-MTU Attribute (12), length: 6, Value: 1468
            0x0000:  0000 05bc
          Message-Authenticator Attribute (80), length: 18, Value: q4g.o\Y.j....
            0x0000:  7134 67f6 6f5c 5996 6afd bde6 f400 a937
          Unknown Attribute (102), length: 2, Value:
          Vendor-Specific Attribute (26), length: 49, Value: Vendor: Cisco (9)
            Vendor Attribute: 1, Length: 41, Value: audit-session-id=0142C80A00000A160EDD6437
            0x0000:  0000 0009 012b 6175 6469 742d 7365 7373
            0x0010:  696f 6e2d 6964 3d30 3134 3243 3830 4130
            0x0020:  3030 3030 4131 3630 4544 4436 3433 37
          Vendor-Specific Attribute (26), length: 18, Value: Vendor: Cisco (9)
            Vendor Attribute: 1, Length: 10, Value: method=mab
            0x0000:  0000 0009 010c 6d65 7468 6f64 3d6d 6162
          Vendor-Specific Attribute (26), length: 31, Value: Vendor: Cisco (9)
            Vendor Attribute: 1, Length: 23, Value: client-iif-id=428417217
            0x0000:  0000 0009 0119 636c 6965 6e74 2d69 6966
            0x0010:  2d69 643d 3432 3834 3137 3231 37
          Vendor-Specific Attribute (26), length: 18, Value: Vendor: Cisco (9)
            Vendor Attribute: 1, Length: 10, Value: vlan-id=18
            0x0000:  0000 0009 010c 766c 616e 2d69 643d 3138
          NAS-IP-Address Attribute (4), length: 6, Value: 10.200.66.1
            0x0000:  0ac8 4201
          NAS-Port-Id Attribute (87), length: 23, Value: GigabitEthernet1/0/10
            0x0000:  4769 6761 6269 7445 7468 6572 6e65 7431
            0x0010:  2f30 2f31 30
          NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
            0x0000:  0000 000f
          NAS-Port Attribute (5), length: 6, Value: 50110
            0x0000:  0000 c3be
          Calling-Station-Id Attribute (31), length: 19, Value: D0-8E-79-0F-CA-63
            0x0000:  4430 2d38 452d 3739 2d30 462d 4341 2d36
            0x0010:  33
          NAS-Identifier Attribute (32), length: 14, Value: XXXXXXSWPP01
            0x0000:  4752 4454 4f55 5357 5050 3031
          Called-Station-Id Attribute (30), length: 19, Value: 04-BD-97-A5-85-0A
            0x0000:  3034 2d42 442d 3937 2d41 352d 3835 2d30
            0x0010:  41
15:36:08.235319 Out 00:19:b9:dd:49:37 ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 26914, offset 0, flags [none], proto UDP (17), length 48)
    192.168.100.248.1812 > 10.200.66.1.58284: [bad udp cksum 0x7297 -> 0x3bac!] RADIUS, length: 20
        Access-Accept (2), id: 0x0e, Authenticator: f56346097ace1b2dc95b5f0ff53d75ab
15:36:10.325659   B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46
15:36:10.376961   B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46
15:36:10.397762   B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46
15:36:20.492278   B d0:8e:79:0f:ca:63 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.100.1 tell 192.168.100.246, length 46

C9200 - MAB set up and not able to ping or access to a shared folder