Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
8
Replies

DATA Domain MAB Failure; VOICE Domain Succeeds

Go to solution
Terence Lockette
Level 1
Level 1

‎04-30-2019 02:54 PM - edited ‎04-30-2019 03:04 PM

Hello everyone,

I'm in the process of testing ISE on a switch that is currently in production.  I had a phone and laptop connected to a port and configured that port only for AAA.  The rest of the switch is bootstrapped with all required AAA/RADIUS commands.  However, I'm getting the following log messages:

.Apr 30 21:10:54.146: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:10:55.748: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.824: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:55.832: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000056792A7B
.Apr 30 21:10:56.856: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:10:57.862: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:08.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:09.128: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
.Apr 30 21:11:11.762: %AUTHMGR-5-START: Starting 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.796: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:11.804: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:11:12.693: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.700: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to up
.Apr 30 21:11:13.843: %AUTHMGR-5-START: Starting 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.876: %MAB-5-SUCCESS: Authentication successful for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:13.885: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:11:14.891: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0800.0fb2.de2f) on Interface Fa0/14 AuditSessionID C0A83C0D000000035679748A
.Apr 30 21:12:12.638: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:12:12.647: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.448: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
.Apr 30 21:13:13.456: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0D0000000256796851
*Aug 19 11:24:19.481: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2.138.253:1812,1813 is not responding.
*Aug 19 11:24:19.490: %MAB-5-FAIL: Authentication failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:19.507: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5ad6.6ce8) on Interface Fa0/14 AuditSessionID C0A83C0E00000010730736D6
*Aug 19 11:24:35.781: %ILPOWER-5-IEEE_DISCONNECT: Interface Fa0/14: PD removed
*Aug 19 11:24:36.024: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
*Aug 19 11:24:37.022: %LINK-3-UPDOWN: Interface FastEthernet0/14, changed state to down
*Aug 19 11:25:16.172: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2.138.252:1812,1813 is being marked alive.

Notice that it appears that the RADIUS server is marked dead when the phone and laptop connects to the port.  When the clients are disconnected, the server is marked alive again.  I know my ISE configuration and policies are correct because everything works perfect from a switch that runs IOS version 15.  The switch generating the logs above is running 12.2(55)SE12.  What's more is that the phone passes MAB authentication but the laptop behind it fails.  I have confirmed that the aaa server state was up but soon went down when the port status change from down to up.  When the client disconnects the server status changes back to up.  Even more, when I check my ISE RADIUS logs, I see that both phone and PC MAC is hitting the correct policy for authc & authz but my tester couldn't pull our guest hotspot AUP page.

The port config in question is as follows (please note that I tried it with and without the event server dead commands but still no difference):

interface FastEthernet0/14
description *** Shortel Phones DHCP ***
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking maximum 2
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
storm-control broadcast level 20.00
storm-control action shutdown
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end

This is the same config commands I use on the 3560CX 8 port switch I use for testing.  Could this be an IOS bug I'm running into?

Thanks,

Terence

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-30-2019 05:26 PM

ISE 2.6 NAD Compatibility > Validated Cisco Access Switches shows IOS 15.2(3)E is the minimal required for 3560-CX to work with ISE.

View solution in original post

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to ldanny

‎05-02-2019 05:18 AM

No TAC assistance needed.  The IOS 12.2(55)SE image was indeed the cause of the issue.  I upgraded the image to 15.0 for my 2960 PST-L and now it's authenticating both domains rather than just the voice domain.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-30-2019 05:26 PM

ISE 2.6 NAD Compatibility > Validated Cisco Access Switches shows IOS 15.2(3)E is the minimal required for 3560-CX to work with ISE.

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to hslai

‎04-30-2019 06:46 PM

Hello,

MAB works perfectly with my 3560CX. Its the 2960 that the logs I shared are coming from. It runs 12.2(55)SE12.
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to hslai

‎04-30-2019 07:05 PM

Also, I'm running ISE 2.3 patch 6

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to hslai

‎04-30-2019 07:12 PM

I did find this URL and see that there is limited support for Guest and no support for Guest Originating URL for minimum version 12.2(55)SE5.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html#13367

 

I'm assuming this limited support is why I'm running into this issue?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Terence Lockette

‎05-01-2019 07:45 AM

Hi,

Can you share the config of your port and some screenshots of ISE configuration?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Francesco Molino

‎05-01-2019 08:21 AM

My port config is in my original post. I'm out of the office today so I won't be able to get the ISE screen shots until tomorrow.

Again, the issue isn't ISE because I see success attempts and the correct AuthZ profile for the MAC the switch is showing failed AuthC messages. The issue has to be the 2960 switch. All works perfectly fine from my 3560CX with no changes to my ISE policies.
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎05-02-2019 12:13 AM

Please open TAC case regarding your switch.

I will close this thread as it is not due to ISE.

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to ldanny

‎05-02-2019 05:18 AM

No TAC assistance needed.  The IOS 12.2(55)SE image was indeed the cause of the issue.  I upgraded the image to 15.0 for my 2960 PST-L and now it's authenticating both domains rather than just the voice domain.

0 Helpful
Customers Also Viewed These Support Documents