Re: Cisco Switch AAA Authencation

Mahendervyas35821 · ‎01-18-2024

Hi Friends,

Was trying to do AAA authentication for Radius and observed one issue.

When i put authentication open then Dot1x and mab both works fine but when i do not configure authentication open command dot1x works fine but mab device does not work in this scenerio.

please find my interface commands.

interface Ethernet0/1
switchport access vlan 20
switchport mode access
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator

Charlie Moreton · ‎01-18-2024

use this:

authentication order mab dot1x

Mahendervyas35821 · ‎01-18-2024

Hi @Charlie Moreton

I tried this command as well.

It is of no use.

Even tried only mab.

Until i give authentication open command mab is not working.

Rob Ingram · ‎01-18-2024

@Mahendervyas35821 look in the ISE live logs and confirm what authorisation rule the MAB endpoints match, it must receive an access-accept.

Mahendervyas35821 · ‎01-18-2024

HI @Rob Ingram

If authentication session starts from Switc then ISE policy is matching and works, But authentication session is not starting until i configure authentication open command in Switch interface.

Rob Ingram · ‎01-18-2024

@Mahendervyas35821 provide screenshot of ISE live logs the endpoint matches.

From the switch please provide - "show authentication session interface x/y/z detail" when in closed mode and another in open mode for comparison.

Turn on aaa/radius debugs when in closed mode and provide the output.

MHM Cisco World · ‎01-18-2024

What is the source you use to connect to radius is it vlan 20 SVI?

MHM

Mahendervyas35821 · ‎01-18-2024

Hi @Rob Ingram

please find output of authentication open and closed status.

If authentication closed configured there is no authentication session starts.

Auth open status.

Auth close status.

MHM Cisco World · ‎01-18-2024

friend,
the only reason that in my mind you use VLAN 20 SVI to connect to AAA and this SVI is down when there are no L2 port in that VLAN.
so I will ask you again are you use VLAN20 as source ?
MHM

Mahendervyas35821 · ‎01-18-2024

@MHM Cisco World

Nothing to do with SVI, only issue with MAB.

Everything works fine if i use dot1x supplicant.If i use MAB supplicant then authentication does not start.

Even for MAB supplicant if i use authentication open command everything works fine but i dont want to keep authentication open.

i am not sure why your pointing this issue to SVI as there is nothing to do with SVI or L2 vlan, routing and SVI works fine.

MHM Cisco World · ‎01-19-2024

try below (you must sure that there is no client already authc/authz in this port )
interface Ethernet0/X
switchport access vlan 20
switchport mode access
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication control-direction both
authentication host-mode single
mab
dot1x pae authenticator

Mahendervyas35821 · ‎01-19-2024

@MHM Cisco World Tried this as well.

No luck same issue.

Authentication does not start.

Note :- this is lab environment with eve-ng

MHM Cisco World · ‎01-19-2024

first what you config is not same as I share
and if you use same command and
debug mab all <<- dont see any packets
then is eve-ng issue not your config issue

I see same issue week ago.
sorry this Virtual Lab limitation

MHM

Mahendervyas35821 · ‎01-19-2024

Hi Think its a EVE-NG limitations,

if i enable only MAB even then i dont see any packets.

MHM Cisco World · ‎01-19-2024

Yes, sorry for this bad news
have a nice weekend
MHM