12-10-2014 12:04 AM - edited 03-10-2019 10:15 PM
Hi,
I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
- Username (vendor1) is configured in ISE local database, under group (VENDOR)
- Authentication protocol : wired MAB
- Authentication method : webauth using guest portal , the user is a vendor , so no dot1x configured on his NIC .
the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using internaluser:Name Equal vendor1
while if I configure the condition using the identity group condition IdentityGroup:Name Equal VENDOR , it works .
The same configuration is working on 3750 switch with no issue .
Here is my Switch config:
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin password
username radius-test password
!
!
aaa server radius dynamic-author
client 172.16.2.20 server-key 7 04490A0206345F450C00
client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
!
radius server ISE-RADIUS-1
address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 111B18011E0718070133
!
radius server ISE-RADIUS-2
address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 0214055F02131C2A4957
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
:
any help !!!
12-11-2014 08:58 AM
ISE MAB used MAC address for authentication (MAC address need to be defined in ISE) and does not use username and password for authentication, use dot1x for authentication
12-11-2014 10:33 AM
Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address of the client machine is shown as a username not the actual username ( vendor1)
as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only .
01-20-2015 12:13 AM
Hi Ali,
You mentioned that at the same condition, you replace it by 3750, and then do not have this issue.
I come cross a lot of strange issue on 2960X.
Link as below,
https://supportforums.cisco.com/discussion/12395181/need-help-cisco-ise-and-stack-switch-issue
BR
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide