01-17-2013 07:46 AM - edited 03-10-2019 07:59 PM
Hi,
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
Martin
01-19-2013 04:31 PM
Martin-
What version of code are you running on your switch? Also, can you confirm that the ISE nodes are showing up when you issue "show aaa serers"
07-18-2013 11:53 AM
Hi Neno,
Version : 12.2(55)SE
I am not using that command but I think that the switch noticed ISE is up bacause when I connect the other (second) end device (on a different switch port ) it is authorized and all work well but the current one which is put in the critical VLAN is still there. It can change this state when the reauthentication timer expired and reauthenticate.
11-24-2014 08:35 AM
Can anyone even confirm that ISE is supported on 3750 platform, and to be more specific C3750V2
Thank you
11-24-2014 10:50 AM
Take a look at the compatibility matrix for ISE:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
The 3750v is not specifically listed but it is supported under the 3750 family. However, if you are getting new switches, I would highly recommend that you go with the 3850s.
Thank you for rating helpful posts!
07-17-2013 06:48 AM
Kindly review the below link:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
07-17-2013 09:17 AM
is sw sending radius probe?
Sent from Cisco Technical Support iPad App
07-18-2013 11:56 AM
I am not sure how can I check that.
07-18-2013 03:46 AM
"Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco
IOS Release 12.2.(53)SE."
07-18-2013 11:43 AM
Hi Venkatesh,
I would like to confirm that the switch version is more than 12.2(53)SE I think that used version was 12.2(55)SE.
07-18-2013 05:06 PM
Could you please provide the debugs to investigate this issue.
You need to run the following debugs
debug dot1x all
debug aaa authen
debug radius
duplicate the issue at will (if it's possible) and share the outputs.
~BR
Jatin Katyal
**Do rate helpful posts**
07-24-2013 07:01 AM
Hi,
I represent the issue again. The all Switch session is attached the debug otput is there too.
Regards,
Martin
07-26-2013 12:18 PM
Can you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x
07-27-2013 09:11 AM
Hi Neno,
As I mentioned in my previous post to Jatin I represent the same case and all session (including running config) is attached to the discussion.
According your quiestion : aaa server radius dynamic-author is there but now the ISE servers IP is different.
If you wish you can review the configuration, debug output and some other commands output in the attached document. The issue is the same.
Regards,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide