cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1123
Views
2
Helpful
9
Replies

Cisco WS-C2960X-48FPS-L MAB Authorization keeps failing

Ruelb2214
Level 1
Level 1

Hello guys,

we have encounter issue with MAB devices, the authorization doesn't apply on the switch port, below the capture logs

Feb 8 08:10:07.059: %AUTHMGR-5-START: Starting 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.370: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.370: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.373: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500

The other Dot1x windows machine are working only MAB keeps failing to apply the Auth.

I read some post here, to put Access Type=ACCESS ACCPET, I did that and still has issue.

interface config:

interface GigabitEthernet2/0/10
switchport access vlan 2
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M

Did anyone encounter the same issue? How did you resolve?

 

 

 

 

1 Accepted Solution

Accepted Solutions

Ruelb2214
Level 1
Level 1

sorry late update:

We have fixed the issue, nothing wrong with switch config or ISE. It was the IP Phone hard code 802.1x issue, after we disable, it was working perfectly. Thanks for your time guys

View solution in original post

9 Replies 9

Ruelb2214
Level 1
Level 1

Just to add in, we are using static profiling ISE and base on the logs it hits the correct policy and given a correct auth profile, but on switch it did not reflect.

Ruelb2214_0-1675845427360.png

 

 

PradeepSingh
Level 1
Level 1

Hi, Can you paste snap of Policy Elements> Authorization >Authorization profiles and Attributes configuration. Have you verified the vlan you sending are configured on switch ?

This issue seems either attributes configuration is incorrect in ISE authorization profile or attributes being assigned like vlan id doen't exists on switch.  

Since the tunnel-group vlan is set to "2", which matches the port details of "switchport access vlan 2", then I'm inclined to think the vlan 2 was created on the switch. I would also recommend you also do a syntax check on the DACL.  I've had DACLs which could not be applied because of syntax errors which were not obvious to my eyes, but were found by the ipv4 syntax checker in ISE v2.2/v2.7.

Nancy Saini
Cisco Employee
Cisco Employee

After the DACL syntax is confirmed, check if DACL download is happening on the switch. You can confirm this by taking captures or enabling RADIUS debugs on the switch.

Greg Gibbs
Cisco Employee
Cisco Employee

If you have not done so already, you should also confirm that you have DHCP Snooping (global and VLAN) and IP Device Tracking (global and switchport) configured correctly. The switch uses requires IPDT to learn the source IP address of the endpoint so that it can insert that into the DACL when applied.

You can confirm if the switch has the endpoint IP address in the device tracking table using the show ip device tracking all command.

If that is not the culprit, much more information would be needed to provide any meaningful assistance (ISE version, ISE policy configurations, switch global config, details on the differences between working and non-working switchports, etc).

If this is an urgent issue, please contact TAC.

 

I have tried enable DHPC snooping on global and VLAN and IPDT also, but still the same issue.

I'm not sure if we are hitting bug on the firmware and planning upgrade to version 15.2-7.E7.

 

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M

 

Ruelb2214
Level 1
Level 1

Hi All,

VLAN on switch has no issue, when we remove the NAC config the Phone works perfectly. 

While for authorization profile or attributes it's configure "ACCESS ACCEPT" and its working on another switch model as well. We have 9200 switches same Policy and Auth profile used, no issue at all. Only in 2960 switches model we are facing the issue.

Ruelb2214
Level 1
Level 1

found out interested debug aaa attr logs which could be related to firmware bug:

Feb 9 03:59:58.604: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.604: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.607: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.702: AAA/ATTR(00000000): add tag 1 to attribute inacl(144)

Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-type(448)
Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-medium-type(440)
Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-private-group-id(381)
Feb 9 04:00:59.173: AAA/ATTR: invalid attribute prefix: "ACS"
Feb 9 04:00:59.173: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 04:00:59.173: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 04:00:59.173: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B

Ruelb2214
Level 1
Level 1

sorry late update:

We have fixed the issue, nothing wrong with switch config or ISE. It was the IP Phone hard code 802.1x issue, after we disable, it was working perfectly. Thanks for your time guys