Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
0
Helpful
2
Replies

CISCO ISE not Authorizing Access Point.

mubi.malik
Level 1
Level 1

‎06-07-2017 09:31 PM - edited ‎03-11-2019 12:46 AM

Hi All, 

i'm testing dot1x authentication and authorization on CISCO ISE. I have connected CISCO Access Point on a port of CISCO 3560. its authentication is successful but Authorization is Failed. When i restart AP i get following messages

 

000123: Jun 8 04:10:22.260 utc: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/34, changed state to up
000124: Jun 8 04:12:32.929 utc: %AUTHMGR-5-START: Starting 'mab' for client (c89c.1d6e.9422) on Interface Gi0/34 AuditSessionID 0000000000000015007522FA
000125: Jun 8 04:12:32.971 utc: %MAB-5-SUCCESS: Authentication successful for client (c89c.1d6e.9422) on Interface Gi0/34 AuditSessionID 0000000000000015007522FA
000126: Jun 8 04:12:32.979 utc: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (c89c.1d6e.9422) on Interface Gi0/34 AuditSessionID 0000000000000015007522FA
000127: Jun 8 04:12:32.979 utc: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC c89c.1d6e.9422| AuditSessionID 0000000000000015007522FA| AUTHTYPE DOT1X| EVENT APPLY
000128: Jun 8 04:12:32.979 utc: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
000129: Jun 8 04:12:32.988 utc: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-FAIL
000130: Jun 8 04:12:32.988 utc: %EPM-4-POLICY_APP_FAILURE: IP 0.0.0.0| MAC c89c.1d6e.9422| AuditSessionID 0000000000000015007522FA| AUTHTYPE DOT1X| POLICY_TYPE dACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT FAILURE| REASON AAA download failure
000131: Jun 8 04:12:32.988 utc: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (c89c.1d6e.9422) on Interface Gi0/34 AuditSessionID 0000000000000015007522FA
000132: Jun 8 04:12:32.988 utc: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC c89c.1d6e.9422| AuditSessionID 0000000000000015007522FA| AUTHTYPE DOT1X| EVENT REMOVE
000133: Jun 8 04:12:33.583 utc: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (c89c.1d6e.9422) on Interface Gi0/34 AuditSessionID 0000000000000015007522FA
000134: Jun 8 04:13:04.015 utc: %PLATFORM_ENV-1-FRU_PS_ACCESS: FRU Power Supply is not responding
000135: Jun 8 04:18:40.979 utc: %PLATFORM_ENV-1-FRU_PS_ACCESS: FRU Power Supply is not responding
000136: Jun 8 04:24:18.942 utc: %PLATFORM_ENV-1-FRU_PS_ACCESS: FRU Power Supply is not responding
000137: Jun 8 04:29:55.927 utc: %PLATFORM_ENV-1-FRU_PS_ACCESS: FRU Power Supply is not responding

i have following information on Interface and also the ACL which is applied on switch

POC-3560X-SW1#sh runn int gi 0/34
Building configuration...

Current configuration : 746 bytes
!
interface GigabitEthernet0/34
switchport trunk encapsulation dot1q
switchport trunk native vlan 102
switchport trunk allowed vlan 102,124,668
switchport mode trunk
ip access-group ACL-DEFAULT in
load-interval 30
authentication event fail action next-method
authentication event server dead action authorize vlan 102
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation replace
mab
no snmp trap link-status
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
end

ip access-list extended ACL-DEFAULT
permit ip any any
permit udp any any

the clients are connected to ISE but AP is not authorized.

Labels:
Preview file
78 KB
Preview file
54 KB
Preview file
52 KB
0 Helpful
2 Replies 2

mubi.malik
Level 1
Level 1

‎06-07-2017 09:54 PM

POC-3560X-SW1#sh authentication sessions int gi0/34
Interface: GigabitEthernet0/34
MAC Address: c89c.1d6e.9422
IP Address: 150.99.102.153
User-Name: C8-9C-1D-6E-94-22
Status: Authz Failed
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: 3600s (local), Remaining: 3287s
Timeout action: Reauthenticate
Idle timeout: 180s (local), Remaining: 47s
Common Session ID: 000000000000001700A0EC6B
Acct Session ID: 0x0000003E
Handle: 0x6D000018

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

0 Helpful

andrewswanson
Level 7
Level 7
In response to mubi.malik

‎06-10-2017 03:47 PM

Hi. Do you have "radius-server vsa send authentication" configured on your switch?

hth

Andy

0 Helpful
Customers Also Viewed These Support Documents