Hi,is the MAC configured in

mmisonne · ‎12-15-2014

Hello

I try to configure mab authentication with alcatel Phone "ipTouch".
The radius is an ISE version 1.2.1

It is impossible to autenticate with mab.
On the Ise the error is:
"Event 5434 Endpoint conducted several failed authentications of the same scenario"
" Failure Reason 11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

On the switch the error message is:

2960-09#
Dec 15 11:13:50.090: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID

0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %MAB-5-FAIL: Authentication failed for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID

0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9fc8.a9eb) on

Interface Gi1/0/11 AuditSessionID 0A0A510A0000010A2E95860F
Dec 15 11:13:50.125: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11

AuditSessionID 0A0A510A0000010A2E95860F
2960-09#
Dec 15 11:13:50.125: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID

0A0A510A0000010A2E95860F

Here is the switch config
+++++++++++++++++

interface GigabitEthernet1/0/11
description HOST PORT WITH AUTHENTICATION
switchport access vlan 68
switchport mode access
switchport nonegotiate
switchport voice vlan 78
authentication event server dead action reinitialize vlan 68
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 300
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end

global switch config
+++++++++++++++

aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
!
aaa server radius dynamic-author
client 10.1.30.11 server-key 7 023201575A080B34080F
client 10.1.30.12 server-key 7 122D001B430508116E6A
!
dot1x system-auth-control
dot1x critical eapol

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 1 tries 3
radius-server host 10.1.30.11 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
radius-server host 10.1.30.12 auth-port 1812 acct-port 1813 key 7 0030160A55550F134B60
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication

Could you please help me.

Michel Misonne

hdussa · ‎12-15-2014

Hi,

is the MAC configured in ISE Hosts? If so, please acitvate a "debug radius" and post it.

I´ve Alcatel in our production enviroment but using DOT1X.

Regards Horst

mmisonne · ‎12-16-2014

Hi

Yes the mac is in the Identity endpoint.

During this night, the Phone reboot and now it is OK !!!

I do not know why ?

I changed nothing !

But here is the debug.

Also the ise is configured with authentication protocol Pap-Ascii = Enable

and "Calling stat id" and "Check pass" checked."

The onfig of the phone is

-Mac to login

-MD5 profile = OFF

-Tls Profile OFF

Her is te debug. ( when it works well)

conf t
Enter configuration commands, one per line. End with CNTL/Z.
2960-09(config)#endshutdown int gigabitEthernet 1/0/11
2960-09(config-if)#no shu
2960-09(config-if)#no shutdown
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#
2960-09(config-if)#end
2960-09#
Dec 16 08:33:54.962: %ILPOWER-7-DETECT: Interface Gi1/0/11: Power Device detected: IEEE PD
Dec 16 08:33:56.157: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/11: Power granted
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
Dec 16 08:33:56.241: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
Dec 16 08:33:56.322: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.68.4)
2960-09#
Dec 16 08:34:02.924: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
Dec 16 08:34:03.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
2960-09#
Dec 16 08:34:05.088: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to down
2960-09#
Dec 16 08:34:06.095: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to down
2960-09#
Dec 16 08:34:09.800: %AUTHMGR-5-START: Starting 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.800: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IP: 0.0.0.0
Dec 16 08:34:09.804: RADIUS(0000025F): Config NAS IPv6: ::
Dec 16 08:34:09.804: RADIUS/ENCODE(0000025F): acct_session_id: 597
Dec 16 08:34:09.804: RADIUS(0000025F): sending
Dec 16 08:34:09.804: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:09.804: RADIUS(0000025F): Sending a IPv4 Radius Packet
Dec 16 08:34:09.804: RADIUS(0000025F): Send Access-Request to 10.1.30.11:1812 id 1645/198,len 249
Dec 16 08:34:09.804: RADIUS: authenticator D3 5F 99 C6 EE 9F 9F 96 - 7C 1B A1 B9 32 1C 78 61
Dec 16 08:34:09.804: RADIUS: User-Name           [1]   14 "00809fc8a9eb"
Dec 16 08:34:09.804: RADIUS: User-Password       [2]   18 *
Dec 16 08:34:09.804: RADIUS: Service-Type        [6]   6   Call Check                [10]
Dec 16 08:34:09.804: RADIUS: Vendor, Cisco       [26] 31
Dec 16 08:34:09.804: RADIUS:   Cisco AVpair       [1]   25 "service-type=Call Check"
Dec 16 08:34:09.804: RADIUS: Framed-IP-Address   [8]   6   10.10.78.250
Dec 16 08:34:09.804: RADIUS: Framed-MTU          [12] 6   1500
Dec 16 08:34:09.804: RADIUS: Called-Station-Id   [30] 19 "F0-9E-63-E7-E1-8B"
Dec 16 08:34:09.804: RADIUS: Calling-Station-Id [31] 19 "00-80-9F-C8-A9-EB"
Dec 16 08:34:09.804: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.804: RADIUS:   5F 60 06 35 54 F6 CB 60 3A D6 A9 87 92 F0 0D 70           [ _`5T`:p]
Dec 16 08:34:09.804: RADIUS: EAP-Key-Name        [102] 2   *
Dec 16 08:34:09.804: RADIUS: Vendor, Cisco       [26] 49
Dec 16 08:34:09.807: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A0A510A0000011E3329AE1E"
Dec 16 08:34:09.807: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Dec 16 08:34:09.807: RADIUS: NAS-Port            [5]   6   50111
Dec 16 08:34:09.807: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/11"
Dec 16 08:34:09.807: RADIUS: NAS-IP-Address      [4]   6   10.10.81.10
Dec 16 08:34:09.807: RADIUS(0000025F): Started 5 sec timeout
Dec 16 08:34:09.856: RADIUS: Received from id 1645/198 10.1.30.11:1812, Access-Accept, len 283
Dec 16 08:34:09.856: RADIUS: authenticator BC 72 21 F4 37 7D BE B1 - 03 A7 CE F3 3A DB EE DA
Dec 16 08:34:09.856: RADIUS: User-Name           [1]   14 "00809fc8a9eb"
Dec 16 08:34:09.856: RADIUS: State               [24] 40
Dec 16 08:34:09.856: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]
Dec 16 08:34:09.856: RADIUS:   30 41 35 31 30 41 30 30 30 30 30 31 31 45 33 33 [0A510A0000011E33]
Dec 16 08:34:09.856: RADIUS:   32 39 41 45 31 45            [ 29AE1E]
Dec 16 08:34:09.856: RADIUS: Class               [25] 54
Dec 16 08:34:09.856: RADIUS:   43 41 43 53 3A 30 41 30 41 35 31 30 41 30 30 30 [CACS:0A0A510A000]
Dec 16 08:34:09.859: RADIUS:   30 30 31 31 45 33 33 32 39 41 45 31 45 3A 6D 65 [0011E3329AE1E:me]
Dec 16 08:34:09.859: RADIUS:   67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34 [gatron/207598984]
Dec 16 08:34:09.859: RADIUS:   2F 34 31 30              [ /410]
Dec 16 08:34:09.859: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.859: RADIUS:   51 E9 8C 07 61 A4 F0 02 0C DC DF 1F 25 BE 39 A3              [ Qa?9]
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco       [26] 34
Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   28 "device-traffic-class=voice"
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco       [26] 75
Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.859: RADIUS: Vendor, Cisco       [26] 28
Dec 16 08:34:09.859: RADIUS:   Cisco AVpair       [1]   22 "profile-name=Unknown"
Dec 16 08:34:09.859: RADIUS(0000025F): Received from id 1645/198
Dec 16 08:34:09.859: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
Dec 16 08:34:09.859: %MAB-5-SUCCESS: Authentication successful for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.863: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:09.894: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 16 08:34:09.894: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 16 08:34:09.898: RADIUS(00000000): sending
Dec 16 08:34:09.957: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:09.957: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 16 08:34:09.957: RADIUS(00000000): Send Access-Request to 10.1.30.11:1812 id 1645/199,len 147
Dec 16 08:34:09.957: RADIUS: authenticator 1B D7 D2 13 EF 69 36 E2 - 87 4D A9 69 2A F7 29 4D
Dec 16 08:34:09.957: RADIUS: NAS-IP-Address      [4]   6   10.10.81.10
Dec 16 08:34:09.957: RADIUS: User-Name           [1]   41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.957: RADIUS: Vendor, Cisco       [26] 32
Dec 16 08:34:09.957: RADIUS:   Cisco AVpair       [1]   26 "aaa:service=ip_admission"
Dec 16 08:34:09.961: RADIUS: Vendor, Cisco       [26] 30
Dec 16 08:34:09.961: RADIUS:   Cisco AVpair       [1]   24 "aaa:event=acl-download"
Dec 16 08:34:09.961: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.961: RADIUS:   E7 15 BB FB 7B 5B 1A C4 50 FC E7 0E 10 AC 22 36             [ {[P"6]
Dec 16 08:34:09.961: RADIUS(00000000): Started 5 sec timeout
Dec 16 08:34:09.968: RADIUS: Received from id 1645/199 10.1.30.11:1812, Access-Accept, len 209
Dec 16 08:34:09.968: RADIUS: authenticator FA 03 DD C1 D2 87 6B 58 - 99 65 EE 96 FF D5 76 FD
Dec 16 08:34:09.968: RADIUS: User-Name           [1]   41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-537cb1d6"
Dec 16 08:34:09.968: RADIUS: State               [24] 40
Dec 16 08:34:09.968: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Dec 16 08:34:09.971: RADIUS:   30 31 31 65 30 62 30 30 30 30 30 30 37 38 35 34 [011e0b0000007854]
Dec 16 08:34:09.971: RADIUS:   38 46 45 45 38 31            [ 8FEE81]
Dec 16 08:34:09.971: RADIUS: Class               [25] 54
Dec 16 08:34:09.971: RADIUS:   43 41 43 53 3A 30 61 30 31 31 65 30 62 30 30 30 [CACS:0a011e0b000]
Dec 16 08:34:09.971: RADIUS:   30 30 30 37 38 35 34 38 46 45 45 38 31 3A 6D 65 [00078548FEE81:me]
Dec 16 08:34:09.971: RADIUS:   67 61 74 72 6F 6E 2F 32 30 37 35 39 38 39 38 34 [gatron/207598984]
Dec 16 08:34:09.971: RADIUS:   2F 34 31 31              [ /411]
Dec 16 08:34:09.971: RADIUS: Message-Authenticato[80] 18
Dec 16 08:34:09.971: RADIUS:   A4 02 84 1E 1A 97 E9 E9 DE 46 93 D6 30 C4 52 99               [ F0R]
Dec 16 08:34:09.971: RADIUS: Vendor, Cisco       [26] 36
Dec 16 08:34:09.971: RADIUS:   Cisco AVpair       [1]   30 "ip:inacl#1=permit ip any any"
Dec 16 08:34:09.971: RADIUS(00000000): Received from id 1645/199
Dec 16 08:34:10.069: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fc8.a9eb) on Interface Gi1/0/11 AuditSessionID 0A0A510A0000011E3329AE1E
Dec 16 08:34:10.069: RADIUS/ENCODE(0000025F):Orig. component type = Dot1X
Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IP: 0.0.0.0
Dec 16 08:34:10.069: RADIUS(0000025F): Config NAS IPv6: ::
Dec 16 08:34:10.073: RADIUS(0000025F): sending
Dec 16 08:34:10.073: RADIUS/ENCODE: Best Local IP-Address 10.10.81.10 for Radius-Server 10.1.30.11
Dec 16 08:34:10.073: RADIUS(0000025F): Sending a IPv4 Radius Packet
Dec 16 08:34:10.073: RADIUS(0000025F): Send Accounting-Request to 10.1.30.11:1813 id 1646/240,len 423
Dec 16 08:34:10.073: RADIUS: authenticator 6C 75 45 C7 B7 66 2F 4D - 04 01 C6 CE A5 16 68 9B
Dec 16 08:34:10.073: RADIUS: Acct-Session-Id     [44] 10 "00000255"
Dec 16 08:34:10.073: RADIUS: Calling-Station-Id [31] 19 "00-80-9F-C8-A9-EB"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 49
Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0A0A510A0000011E3329AE1E"
Dec 16 08:34:10.073: RADIUS: Framed-IP-Address   [8]   6   10.10.78.250
Dec 16 08:34:10.073: RADIUS: User-Name           [1]   14 "00809fc8a9eb"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 32
Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   26 "connect-progress=Call Up"
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 21
Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   15 "lldp-tlv=    "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 25
Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   19 "lldp-tlv=        "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 23
Dec 16 08:34:10.073: RADIUS:   Cisco AVpair       [1]   17 "lldp-tlv=      "
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 28
Dec 16 08:34:10.073: RADIUS: Vendor, Cisco       [26] 28
Dec 16 08:34:10.073: RADIUS: Tunnel-Packets-Lost [86] 101 1852075890
Dec 16 08:34:10.076: RADIUS: Nas-Identifier      [32] 32 "
Dec 16 08:34:10"
Dec 16 08:34:10.076: data_left 15
2960-09#
Dec 16 08:34:10.076: RADIUS(0000025F): Started 5 sec timeout
Dec 16 08:34:10.090: RADIUS: Received from id 1646/240 10.1.30.11:1813, Accounting-response, len 20
Dec 16 08:34:10.090: RADIUS: authenticator 91 9F CE 71 1C 4B 45 93 - 49 86 52 C8 C3 44 40 B8
2960-09#
Dec 16 08:34:11.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/11, changed state to up
Dec 16 08:34:12.485: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to up
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#
2960-09#sh auth
2960-09#sh authentication ses
2960-09#sh authentication sessions int gi
2960-09#sh authentication sessions int gigabitEthernet 1/ /0/11
            Interface: GigabitEthernet1/0/11
          MAC Address: 0080.9fc8.a9eb
           IP Address: 10.10.78.250
            User-Name: 00809fc8a9eb
               Status: Authz Success
               Domain: VOICE
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A510A0000011E3329AE1E
      Acct Session ID: 0x00000255
               Handle: 0x3600011F

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

2960-09#

hdussa · ‎12-16-2014

...maybe it was a timing problem. Usually the Phone reboots if it can´t get the TFTP/DHCP-Server. I also found out that MAB times out because the Phone is "busy" with DHCP. Then you need to adjust your timers. I´m using:

dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1

Another little tip. Cisco recommends not to use reauntentication with MAB.

I can see that you push a dACL to your port. You ports are configured in "CLOSED MODE". So you don´t need a dACL with permit ip any any.

Regards Horst

mmisonne · ‎12-16-2014

Thanks for your answer.

For the moment it is impossible to reproduce the pb. So I will not change anything now.

About your timers, all dot1x timers applies to Dot1x devices. They shouldn't influence anything in the Mab process for non-DOT1x device ?

Reagrds

M Misonne

hdussa · ‎12-17-2014

with this both timers you can infuence the time between failed MAB and starting Dot1X or the other way round.

dot1x timeout tx-period 1
dot1x max-reauth-req 1

The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints. Endpoints without a supplicant must wait until 802.1X times out before getting network access via a fallback mechanism. The total time it takes for 802.1X to time out is determined by the following formula:

Timeout = (max-reauth-req +1) * tx-period

mmisonne · ‎12-17-2014

I undertstand, but in my case , I tried with this setup:

"authentication order mab dot1x"

Impossible to use mAb with Alcatel phone