Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
2
Helpful
9
Replies

Cisco WS-C2960X-48FPS-L MAB Authorization keeps failing

Go to solution
Ruelb2214
Level 1
Level 1

‎02-08-2023 12:19 AM

Hello guys,

we have encounter issue with MAB devices, the authorization doesn't apply on the switch port, below the capture logs

Feb 8 08:10:07.059: %AUTHMGR-5-START: Starting 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.370: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.370: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500
Feb 8 08:10:08.373: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002CB17651032500

The other Dot1x windows machine are working only MAB keeps failing to apply the Auth.

I read some post here, to put Access Type=ACCESS ACCPET, I did that and still has issue.

interface config:

interface GigabitEthernet2/0/10
switchport access vlan 2
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M

Did anyone encounter the same issue? How did you resolve?

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ruelb2214
Level 1
Level 1

‎04-05-2023 09:08 PM

sorry late update:

We have fixed the issue, nothing wrong with switch config or ISE. It was the IP Phone hard code 802.1x issue, after we disable, it was working perfectly. Thanks for your time guys

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Ruelb2214
Level 1
Level 1

‎02-08-2023 12:37 AM

Just to add in, we are using static profiling ISE and base on the logs it hits the correct policy and given a correct auth profile, but on switch it did not reflect.

Ruelb2214_0-1675845427360.png

 

 

0 Helpful

Go to solution
PradeepSingh
Level 1
Level 1

‎02-08-2023 06:33 AM

Hi, Can you paste snap of Policy Elements> Authorization >Authorization profiles and Attributes configuration. Have you verified the vlan you sending are configured on switch ?

This issue seems either attributes configuration is incorrect in ISE authorization profile or attributes being assigned like vlan id doen't exists on switch.  

0 Helpful

Go to solution
davidgfriedman
Level 1
Level 1
In response to PradeepSingh

‎02-08-2023 07:05 AM

Since the tunnel-group vlan is set to "2", which matches the port details of "switchport access vlan 2", then I'm inclined to think the vlan 2 was created on the switch. I would also recommend you also do a syntax check on the DACL.  I've had DACLs which could not be applied because of syntax errors which were not obvious to my eyes, but were found by the ipv4 syntax checker in ISE v2.2/v2.7.

0 Helpful

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎02-08-2023 09:33 AM

After the DACL syntax is confirmed, check if DACL download is happening on the switch. You can confirm this by taking captures or enabling RADIUS debugs on the switch.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-08-2023 01:55 PM

If you have not done so already, you should also confirm that you have DHCP Snooping (global and VLAN) and IP Device Tracking (global and switchport) configured correctly. The switch uses requires IPDT to learn the source IP address of the endpoint so that it can insert that into the DACL when applied.

You can confirm if the switch has the endpoint IP address in the device tracking table using the show ip device tracking all command.

If that is not the culprit, much more information would be needed to provide any meaningful assistance (ISE version, ISE policy configurations, switch global config, details on the differences between working and non-working switchports, etc).

If this is an urgent issue, please contact TAC.

 

Go to solution
Ruelb2214
Level 1
Level 1
In response to Greg Gibbs

‎02-08-2023 07:28 PM

I have tried enable DHPC snooping on global and VLAN and IPDT also, but still the same issue.

I'm not sure if we are hitting bug on the firmware and planning upgrade to version 15.2-7.E7.

 

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
2 52 WS-C2960X-48FPS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M

 

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1

‎02-08-2023 06:41 PM

Hi All,

VLAN on switch has no issue, when we remove the NAC config the Phone works perfectly. 

While for authorization profile or attributes it's configure "ACCESS ACCEPT" and its working on another switch model as well. We have 9200 switches same Policy and Auth profile used, no issue at all. Only in 2960 switches model we are facing the issue.

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1

‎02-08-2023 09:43 PM

found out interested debug aaa attr logs which could be related to firmware bug:

Feb 9 03:59:58.604: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.604: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.607: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 03:59:58.702: AAA/ATTR(00000000): add tag 1 to attribute inacl(144)

Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-type(448)
Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-medium-type(440)
Feb 9 04:00:59.173: AAA/ATTR(00000000): add tag 1 to attribute tunnel-private-group-id(381)
Feb 9 04:00:59.173: AAA/ATTR: invalid attribute prefix: "ACS"
Feb 9 04:00:59.173: %MAB-5-SUCCESS: Authentication successful for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 04:00:59.173: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B
Feb 9 04:00:59.173: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (487a.5507.31ac) on Interface Gi2/0/10 AuditSessionID 0A71075B002D28CF554C390B

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1

‎04-05-2023 09:08 PM

sorry late update:

We have fixed the issue, nothing wrong with switch config or ISE. It was the IP Phone hard code 802.1x issue, after we disable, it was working perfectly. Thanks for your time guys

0 Helpful
Customers Also Viewed These Support Documents