06-23-2021 07:10 AM
ISE 2.7 patch 3
Mac OS supplicant
WS-C3560X-48 IOS v. 12.2(55)SE13
Hello,
The MacOS is configured to system/machine authN using LEAP. It works successfully on other switches but on the switch mentioned above fails. What fail mean is ISE states supplicant abandon session. and the MacOS shows authentication....
More detail:
From ISE and Switch - ISE shows successful authN and switch shows 1.x successful/AuthZ and receives CoA (debug shows) but the switch never change to the assigned vlan.
Windows PC on the same switch work without issue although they are using EAP-TLS machine authN.
Any ideas? Is there a known issue with MacOS/LEAP on this code?
Thanks in advance.
Solved! Go to Solution.
07-08-2021 07:07 AM
Hello,
I upgraded the switch to the lastest suggested IOS and that fixed the issue.
Thanks all for your support.
06-23-2021 08:19 AM
how about other switches with same MAC works ? what switches are that was working ?
WS-C3560X-48 IOS v. 12.2(55)SE13 - check any new IOS available or run full debug to collect the logs.
06-24-2021 11:09 AM
Hi BB and thanks for your response.
WS-C3650-48PD 03.07.05.E cat3k_caa-universalk9 BUNDLE
The debug log shows the nonworking switch is not receiving the "access-accept" RADIUS even though it did receive a
%DOT1X-5-SUCCESS: Authentication successful for client (char) on Interface Gi0/5 AuditSessionID
what's interesting is the successful DOT1X didn't have an Audit Session ID.
When compared against the working switch the working switch received "access-accept" with the result vlan and the DOT1X had a audit session ID.
I was wondering if the interface config "authentication control-direction in" can be a cause. I saw a bunch of bugs related to it but eventually fell like I was going down the wrong rabbit hole. hahah... FYI...this config is also enabled on the working switch.
Thanks again
06-27-2021 03:24 PM
That does not make sense since Apple does not claim to support LEAP as an authentication protocol with their native supplicant.
LEAP is extremely old and you should not use it unless you have very old devices that require it to be enabled in ISE.
The switch does not care about the EAP protocol - it is only between ISE and the endpoint (macOS).
Look at the ISE LiveLog for the specific authentication and review the
If the switch is behaving differently than all other switches then
1) is it the same hardware
2) is it the same software version
3) is it the same switchport configuration?
07-08-2021 07:07 AM
Hello,
I upgraded the switch to the lastest suggested IOS and that fixed the issue.
Thanks all for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide