Cisco ISE & 3750 Switch MAB configuration Issue

Martin Konov · ‎01-17-2013

Hi,

I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.

Here is the test switch configuration :

interface FastEthernet0/22

switchport access vlan 10

switchport mode access

authentication event fail action next-method

authentication event server dead action authorize vlan 11

authentication event server alive action reinitialize

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

authentication periodic

authentication violation restrict

mab

dot1x pae authenticator

spanning-tree portfast

spanning-tree bpduguard enable

snmp-server community ISE-Test RO

snmp-server community ISE-Test1 RW

snmp-server trap-source FastEthernet0/24

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123

radius-server vsa send accounting

radius-server vsa send authentication

Thank you in advanced! I hope that this issue might be intersting!

Martin

nspasov · ‎01-19-2013

Martin-

What version of code are you running on your switch? Also, can you confirm that the ISE nodes are showing up when you issue "show aaa serers"

Martin Konov · ‎07-18-2013

Hi Neno,

Version : 12.2(55)SE

I am not using that command but I think that the switch noticed ISE is up bacause when I connect the other (second) end device (on a different switch port ) it is authorized and all work well but the current one which is put in the critical VLAN is still there. It can change this state when the reauthentication timer expired and reauthenticate.

AJAZ NAWAZ · ‎11-24-2014

Can anyone even confirm that ISE is supported on 3750 platform, and to be more specific C3750V2

Thank you

nspasov · ‎11-24-2014

Take a look at the compatibility matrix for ISE:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html

The 3750v is not specifically listed but it is supported under the 3750 family. However, if you are getting new switches, I would highly recommend that you go with the 3850s.

Thank you for rating helpful posts!

manjeets · ‎07-17-2013

Kindly review the below link:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

Shaoqin Li · ‎07-17-2013

is sw sending radius probe?

Sent from Cisco Technical Support iPad App

Martin Konov · ‎07-18-2013

I am not sure how can I check that.

Venkatesh Attuluri · ‎07-18-2013

"Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco

IOS Release 12.2.(53)SE."

Martin Konov · ‎07-18-2013

Hi Venkatesh,

I would like to confirm that the switch version is more than 12.2(53)SE I think that used version was 12.2(55)SE.

Jatin Katyal · ‎07-18-2013

Could you please provide the debugs to investigate this issue.

You need to run the following debugs

debug dot1x all

debug aaa authen

debug radius

duplicate the issue at will (if it's possible) and share the outputs.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Martin Konov · ‎07-24-2013

Hi,

I represent the issue again. The all Switch session is attached the debug otput is there too.

Regards,

Martin

nspasov · ‎07-26-2013

Can you confirm that you have the following syntax in your NAD:

aaa server radius dynamic-author

client 192.168.98.10 server-key AAA_Secret

Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.

Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x

Martin Konov · ‎07-27-2013

Hi Neno,

As I mentioned in my previous post to Jatin I represent the same case and all session (including running config) is attached to the discussion.

According your quiestion : aaa server radius dynamic-author is there but now the ISE servers IP is different.

If you wish you can review the configuration, debug output and some other commands output in the attached document. The issue is the same.

Regards,

Martin