Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1362
Views
0
Helpful
3
Replies

Cisco 2960-X & ISE accounting- username Radius attribute missing

Ali Koussan
Level 1
Level 1

‎12-10-2014 12:04 AM - edited ‎03-10-2019 10:15 PM

Hi,

I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:

- Username (vendor1) is configured in ISE local database, under  group (VENDOR)

- Authentication protocol : wired  MAB 

- Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .

 

the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1

while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .

The same configuration is working on 3750 switch  with no issue .

Here is my Switch config:

aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group radius 
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin password 
username radius-test password 

!
!
aaa server radius dynamic-author
 client 172.16.2.20 server-key 7 04490A0206345F450C00
 client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
!
radius server ISE-RADIUS-1
 address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
 automate-tester username radius-test idle-time 15
 key 7 111B18011E0718070133
!
radius server ISE-RADIUS-2
 address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
 automate-tester username radius-test idle-time 15
 key 7 0214055F02131C2A4957
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication

 

any help  !!!

 

Labels:
0 Helpful
3 Replies 3

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎12-11-2014 08:58 AM

ISE MAB used MAC address for authentication (MAC address need to be defined in ISE) and does not use username and password for authentication, use dot1x for authentication

0 Helpful

Ali Koussan
Level 1
Level 1
In response to Venkatesh Attuluri

‎12-11-2014 10:33 AM

Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 

as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

 

 

 

 

0 Helpful

musikman1988
Level 1
Level 1
In response to Ali Koussan

‎01-20-2015 12:13 AM

Hi Ali,

You mentioned that at the same condition, you replace it by 3750, and then do not have this issue.

I come cross a lot of strange issue on 2960X.

Link as below,

https://supportforums.cisco.com/discussion/12395181/need-help-cisco-ise-and-stack-switch-issue

 

BR

Frank

0 Helpful
Customers Also Viewed These Support Documents