Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2309
Views
5
Helpful
4
Replies

ISE 2.7 patch 3, Mac OS abandon session, WS-C3560X-48 IOS v. 12.2(55)SE13

Go to solution
KelvinT
Level 1
Level 1

‎06-23-2021 07:10 AM

ISE 2.7 patch 3

Mac OS supplicant

WS-C3560X-48 IOS v. 12.2(55)SE13

 

Hello,

 

The MacOS is configured to system/machine authN using LEAP.  It works successfully on other switches but on the switch mentioned above fails.  What fail mean is ISE states supplicant abandon session. and the MacOS shows authentication....

 

More detail:

From ISE and Switch - ISE shows successful authN and switch shows 1.x successful/AuthZ and receives CoA (debug shows) but the switch never change to the assigned vlan.

 

Windows PC on the same switch work without issue although they are using EAP-TLS machine authN.

 

Any ideas?  Is there a known issue with MacOS/LEAP on this code?

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KelvinT
Level 1
Level 1

‎07-08-2021 07:07 AM

Hello,

 

I upgraded the switch to the lastest suggested IOS and that fixed the issue.

 

Thanks all for your support.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-23-2021 08:19 AM

how about other switches with same MAC works ? what switches are that was working ?

 

WS-C3560X-48 IOS v. 12.2(55)SE13   - check any new IOS available or run full debug to collect the logs.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
KelvinT
Level 1
Level 1
In response to balaji.bandi

‎06-24-2021 11:09 AM

Hi BB and thanks for your response.

 

WS-C3650-48PD   03.07.05.E        cat3k_caa-universalk9 BUNDLE

 

The debug log shows the nonworking switch is not receiving the "access-accept" RADIUS even though it did receive a 

 

%DOT1X-5-SUCCESS: Authentication successful for client (char) on Interface Gi0/5 AuditSessionID

 

what's interesting is the successful DOT1X didn't have an Audit Session ID.

 

When compared against the working switch the working switch received "access-accept" with the result vlan and the DOT1X had a audit session ID.

 

I was wondering if the interface config "authentication control-direction in" can be a cause.  I saw a bunch of bugs related to it but eventually fell like I was going down the wrong rabbit hole.  hahah...  FYI...this config is also enabled on the working switch.

 

Thanks again

 

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2021 03:24 PM

That does not make sense since Apple does not claim to support LEAP as an authentication protocol with their native supplicant.

LEAP is extremely old and you should not use it unless you have very old devices that require it to be enabled in ISE.

The switch does not care about the EAP protocol - it is only between ISE and the endpoint (macOS).

Look at the ISE LiveLog for the specific authentication and review the Details of the authentication to find out what protocol is really being used.

If the switch is behaving differently than all other switches then

1) is it the same hardware

2) is it the same software version

3) is it the same switchport configuration?

0 Helpful

Go to solution
KelvinT
Level 1
Level 1

‎07-08-2021 07:07 AM

Hello,

 

I upgraded the switch to the lastest suggested IOS and that fixed the issue.

 

Thanks all for your support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents