Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
7
Replies

Dot1x traffic not hitting ISE but the MAB traffic hits the ISE in 9200

titusroz03
Level 1
Level 1

‎10-03-2023 07:00 AM

Hi All,

I have legacy dot1x configured which contains MAB as backup, if prioritize MAB and dot1x next I can view the logs in ISE, but if I do it for dot1x I couldn't see any logs in ISE.

Still confused if need to change any settings in the laptop or configs in the switch w.r.t dot1x.

Laptop:

Have selected PEAP in the auth method and under EAP MSCHAPv2 have selected both user and machine.

In switch:

 

aaa group server radius <group_name>
server name <server name>
server name <server name>
!


aaa authentication dot1x default group <group_name>
aaa authorization network default group <group_name>
aaa accounting update newinfo periodic 120
aaa accounting dot1x default start-stop group <group_name>

!
!
aaa server radius dynamic-author
client <server IP> server-key 6 <server key>
client <server IP> server-key 6 <server key>
client <server IP> server-key 6 <server key>
!
!
dot1x system-auth-control
dot1x critical eapol block
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5
!
radius server <server name>
address ipv4 <server IP> auth-port 1812 acct-port 1813
automate-tester username teste ignore-acct-port idle-time 5
key 6 <key>
!
radius server <server name>
address ipv4 <server IP> auth-port 1812 acct-port 1813
automate-tester username test ignore-acct-port idle-time 5
key 6 <key>
!
!

!
interface GigX/X
switchport access vlan XX
switchport mode access
switchport voice vlan XX
device-tracking attach-policy XX
no logging event link-status
no logging event power-inline-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan XX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree guard root
service-policy output output-q

I observe below logs continuously in switch ..

*Oct 3 13:46:25.963: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (6c24.08e3.053d) with reason (No Response from Client) on Interface Gi1/0/1 AuditSessionID 0720C80A00001B0FF42601FA
*Oct 3 13:46:26.204: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (6c24.08e3.053d) on Interface GigabitEthernet1/0/1 AuditSessionID 0720C80A00001B0FF42601FA. Failure reason: Authc fail. Authc failure reason: Cred Fail.

1 person had this problem
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎10-03-2023 07:13 AM

authentication control-direction in

Try change it to both directions and check again.

0 Helpful

Rob Ingram
VIP
VIP

‎10-03-2023 07:40 AM

@titusroz03 if you are not seeing any 802.1X authentications (success or failure) in the ISE Live Logs, that kind of implies the client is not attempting authentication and that once the 802.1X retry timers expires MAB is used.

Double check the client 802.1X authentication settings and confirm it's enabled and attempting authentication. If you take a tcpdump packet capture (from ISE GUI) you can determine whether the client is even attempting authentication.

0 Helpful

titusroz03
Level 1
Level 1
In response to Rob Ingram

‎10-03-2023 10:38 PM

I am seeing the radius logs only for MAB authentication and couldn't see one for dot1x.TCP dump can only be put for ip host,but here it is not yet authenticated.

0 Helpful

Rob Ingram
VIP
VIP
In response to titusroz03

‎10-03-2023 11:12 PM

@titusroz03 you filter on the "ip host <address>" of the NAD (switch). If you can only see MAB in the tcpdump then 802.1X is not being attempted by the client.

Do you have credential guard enabled? You cannot use PEAP if you have credential guard enabled, so you'd either need to disable credential guard or use EAP-TLS (certificates) instead of PEAP/MSCHAPv2.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-03-2023 07:45 AM

May be for testing you might have change MAB and 802.1X  - change back 802.1x  and MAB and test it

also worth checking end device (if you looking PEAP authenticaiton) what Windows version ?

suggest to look good video :

https://www.youtube.com/watch?v=raDFQDTt9uY&t=4s

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

titusroz03
Level 1
Level 1
In response to balaji.bandi

‎10-03-2023 10:40 PM

I am using a windows 10 machine,I have checked both user & machine authentication and method as PEAP.Also in additional settings have enabled EAp-MSCHAPV2

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to titusroz03

‎10-06-2023 03:21 PM

Take a look at the windows events on the client side. See Microsoft Learn / Troubleshoot / Windows / Windows Client / Advanced troubleshooting 802.1X authentication

0 Helpful
Customers Also Viewed These Support Documents