Solved: Re: On your interface

Eric Turenne · ‎12-04-2014

Hello,

I have a problem where the switch will try to authenticate a device with MAB and it will never fail or timeout.

Here is the situation: where a device has 802.1x authentication enabled but not it has invalid parameters (or missing certificate).

The switch will start dot1x for the client and it will fail (as intented). It will fail over from dot1x to MAB and... silence.

I'm using a WS-C2960-24LT-L with IOS 15.0(2)SE.

Config:

interface FastEthernet0/16
 switchport access vlan 155
 switchport mode access
 authentication event fail action authorize vlan 550
 authentication event server dead action authorize vlan 550
 authentication event no-response action authorize vlan 550
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 1
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Logs:

Dec  4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
Dec  4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B
Dec  4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up
Dec  4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B
Dec  4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B
Dec  4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B
Dec  4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B
Dec  4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094
Dec  4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094
Dec  4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094

sh auth session int fa0/16

            Interface:  FastEthernet0/16
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A011246000001197AA21094
      Acct Session ID:  0x00000380
               Handle:  0x1700011A

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

You can see above that is still running MAB but this device is not listed on the local ID store sequence or anywhere. If I run the command 'no mab', the switch will reply will no more methods available and nothing more.

Interface  MAC Address     Method   Domain   Status         Session ID
  Fa0/16     (unknown)       N/A      UNKNOWN  No Methods     0A011246000001197AA21094

However when I remove the MAB command; reset the port; it will eventually fail from dot1x and move to the Restricted VLAN.

It this default by design or the authentication is drop in between the switch and ACS? Should I just use MAB where it is needed?

Thank you in advance.

Marvin Rhoads · ‎12-04-2014

On your interface configuration, I would normally expect to see flex auth enabled thus:

authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method

View solution in original post

Marvin Rhoads · ‎12-04-2014

On your interface configuration, I would normally expect to see flex auth enabled thus:

authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method

nspasov · ‎12-04-2014

Marvin is spot on here. You need:

authentication event fail action next-method

Instead of your current:

 authentication event fail action authorize vlan 550

Thank you for rating helpful posts!

Eric Turenne · ‎12-05-2014

Hello guys,

Thank you for your replies but the switch will still 'hang' on MAB with the following configuration:

interface FastEthernet0/16
 switchport access vlan 155
 switchport mode access
 authentication event fail action next-method
 authentication event server dead action authorize vlan 550
 authentication event no-response action authorize vlan 550
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 1
 spanning-tree portfast
 spanning-tree bpduguard enable
end

Debugging MAB returns these messages:

Dec  5 10:22:33.766 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001367E3C834D
Dec  5 10:22:33.766 GMT: mab-ev(Fa0/16): Received MAB context create from AuthMgr
Dec  5 10:22:33.766 GMT: mab-ev(Fa0/16): Created MAB client context 0xCD00005B
Dec  5 10:22:33.766 GMT:     mab : initial state mab_initialize has enter
Dec  5 10:22:33.766 GMT: mab-sm(Fa0/16): Received event 'MAB_START' on handle 0xCD00005B
Dec  5 10:22:33.766 GMT:     mab : during state mab_initialize, got event 4(mabStart)
Dec  5 10:22:33.766 GMT: @@@ mab : mab_initialize -> mab_acquiring

Should I open a case with Cisco?

Thanks,

nspasov · ‎12-05-2014

Couple of questions:

1. What type of Radius server are you using?

2. What does your Radius server show with regards to that endpoint

3. Post the output of the following command after the endpoint has been connected for at least 5 min

show authentication session interface fa0/6 detail

Thank you for rating helpful posts!

Eric Turenne · ‎12-05-2014

Hello Neno,

We use ACS 5.4 for Radius. I don't receive any status on the Radius reports for dot1x authentication. I will receive a fail status when it does not find any matching MAC address in the Internal store.

Here is the output after 10 mins for sh authentication sessions interface fa0/16:

            Interface:  FastEthernet0/16
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A011246000001517F44EFAA
      Acct Session ID:  0x0000049B
               Handle:  0xD1000152

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

and sh mab interface fa0/16 details:

MAB details for FastEthernet0/16
-------------------------------------
Mac-Auth-Bypass           = Enabled

MAB Client List
---------------
Client MAC                = Waiting
Session ID                = 0A011246000001517F44EFAA
MAB SM state              = ACQUIRING
Authen Status             = FAIL

Logging ouput (time reference):

Dec  5 15:10:50.138 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up
Dec  5 15:10:51.144 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up
Dec  5 15:11:04.172 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001507F4473FF
Dec  5 15:11:04.172 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001507F4473FF
Dec  5 15:11:19.607 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001507F4473FFnt fa0/
Dec  5 15:11:19.607 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001507F4473FF16
Dec  5 15:11:35.243 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:11:35.243 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:11:35.243 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA

But 20-25ish minutes later, I receive the following output:

Dec  5 15:30:48.744 GMT: %AUTHMGR-5-START: Starting 'mab' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:30:48.744 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:30:48.744 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:31:04.188 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:31:04.188 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:31:19.623 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:31:19.623 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001517F44EFAA
Dec  5 15:31:35.259 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:35.259 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:35.259 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.818 GMT: %AUTHMGR-5-START: Starting 'mab' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.826 GMT: %MAB-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.835 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.835 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.835 GMT: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:51.835 GMT: %AUTHMGR-5-VLANASSIGN: VLAN 550 assigned to Interface Fa0/16 AuditSessionID 0A011246000001527F573F42
Dec  5 15:31:52.506 GMT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001527F573F42

It takes considerable time before it finally move the client to the guest-vlan.

Thank you for your time on this issue.

bern81 · ‎02-08-2019

Hi Marvin,

Sorry for replying to this thread as it is considered solved but it doesn't seem so.

I have exactly the same issue knowing that i already configured the commands u mentioned.

Maybe you can have a look at the following thread i opened for better idea:

https://community.cisco.com/t5/identity-services-engine-ise/dot1x-mab-behaviour-with-flexauth/td-p/3797660

Many thanks in advance.

Dot1x issue: MAB authentication will never fail or timeout