04-30-2019 02:54 PM - edited 04-30-2019 03:04 PM
Hello everyone,
I'm in the process of testing ISE on a switch that is currently in production. I had a phone and laptop connected to a port and configured that port only for AAA. The rest of the switch is bootstrapped with all required AAA/RADIUS commands. However, I'm getting the following log messages:
.Apr 30 21:10:54.146: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:10:55.748: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.824: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:56.856: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:10:57.862: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:08.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:09.128: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:11.762: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.796: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:12.693: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.700: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.843: %AUTHMGR-5-START: Starting 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.876: %MAB-5-SUCCESS: Authentication successful for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.885: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:14.891: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:12:12.638: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.456: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
*Aug 19 11:24:19.481: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2.138.253:1812,1813 is not responding.
*Aug 19 11:24:19.490: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:35.781: %ILPOWER-5-IEEE_DISCONNECT: Interface Fa0/14: PD removed
*Aug 19 11:24:36.024: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
*Aug 19 11:24:37.022: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
*Aug 19 11:25:16.172: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2.138.252:1812,1813 is being marked alive.
Notice that it appears that the RADIUS server is marked dead when the phone and laptop connects to the port. When the clients are disconnected, the server is marked alive again. I know my ISE configuration and policies are correct because everything works perfect from a switch that runs IOS version 15. The switch generating the logs above is running 12.2(55)SE12. What's more is that the phone passes MAB authentication but the laptop behind it fails. I have confirmed that the aaa server state was up but soon went down when the port status change from down to up. When the client disconnects the server status changes back to up. Even more, when I check my ISE RADIUS logs, I see that both phone and PC MAC is hitting the correct policy for authc & authz but my tester couldn't pull our guest hotspot AUP page.
The port config in question is as follows (please note that I tried it with and without the event server dead commands but still no difference):
interface FastEthernet0/14
description *** Shortel Phones DHCP ***
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
storm-control broadcast level 20.00
storm-control action shutdown
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end
This is the same config commands I use on the 3560CX 8 port switch I use for testing. Could this be an IOS bug I'm running into?
Thanks,
Terence
Solved! Go to Solution.
04-30-2019 05:26 PM
ISE 2.6 NAD Compatibility > Validated Cisco Access Switches shows IOS 15.2(3)E is the minimal required for 3560-CX to work with ISE.
05-02-2019 05:18 AM
No TAC assistance needed. The IOS 12.2(55)SE image was indeed the cause of the issue. I upgraded the image to 15.0 for my 2960 PST-L and now it's authenticating both domains rather than just the voice domain.
04-30-2019 05:26 PM
ISE 2.6 NAD Compatibility > Validated Cisco Access Switches shows IOS 15.2(3)E is the minimal required for 3560-CX to work with ISE.
04-30-2019 06:46 PM
04-30-2019 07:05 PM
Also, I'm running ISE 2.3 patch 6
04-30-2019 07:12 PM
I did find this URL and see that there is limited support for Guest and no support for Guest Originating URL for minimum version 12.2(55)SE5.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html#13367
I'm assuming this limited support is why I'm running into this issue?
05-01-2019 07:45 AM
05-01-2019 08:21 AM
05-02-2019 12:13 AM
Please open TAC case regarding your switch.
I will close this thread as it is not due to ISE.
05-02-2019 05:18 AM
No TAC assistance needed. The IOS 12.2(55)SE image was indeed the cause of the issue. I upgraded the image to 15.0 for my 2960 PST-L and now it's authenticating both domains rather than just the voice domain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide