Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2324
Views
0
Helpful
5
Replies

ISE Authentication failed - Extreme

Go to solution
rvacher
Cisco Employee
Cisco Employee

‎04-17-2018 06:42 AM

Hi all,

I am working on an important POV but we are facing one issues with Extreme Networks switches which is the following :

screenshot.png

screenshot.png

This is how the NAD is configured :

screenshot.pngscreenshot.png

We tried different devices, the session of those sessions are terminated in the Live Logs.

The endpoint use NAM and has been tested working fine on other switches with 802.1X

Attached the config on the switch.

We need to close this POV on Friday and this is an important part of it, your inputs are more than welcome

Thanks

Extreme[1].txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to rvacher

‎04-17-2018 08:34 AM

The issue is typically in NAD Profile under the Host Lookup settings.  One EXOS reference indicates that PAP is required protocol.  Another item to investigate is Policy > Policy Elements > Results > Authentication > Allowed Protocols and the use of Message Authenticator (at bottom).

Another issue is that current flow matches are not distinct enough to separate 802.1X from MAB flow.  In your screenshot above, the username was anonymous but Calling ID is MAC.  Need to make sure matching MAB flow.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-17-2018 06:59 AM

Are you able to see what the RADIUS service-type is?  I'm wondering if it is not matching because of the service-type value sent from the switch to ISE.

Regards,

-Tim

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎04-17-2018 07:05 AM

Hi Tim,

The service-type is Login. This is what is configured in the NAD and also what we receive from the RADIUS request (see screenshot)

Remi

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to rvacher

‎04-17-2018 08:34 AM

The issue is typically in NAD Profile under the Host Lookup settings.  One EXOS reference indicates that PAP is required protocol.  Another item to investigate is Policy > Policy Elements > Results > Authentication > Allowed Protocols and the use of Message Authenticator (at bottom).

Another issue is that current flow matches are not distinct enough to separate 802.1X from MAB flow.  In your screenshot above, the username was anonymous but Calling ID is MAC.  Need to make sure matching MAB flow.

0 Helpful

Go to solution
rvacher
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎04-17-2018 11:39 AM

Thanks Craig. This is how the NAD is configured with PAP activated.

2.jpg

I'll try tomorrow to activate Message Authenticator.

For the flow, yes for MAB it is not matching. Not sure so far how can I distinguish them.

For 802.1X it should match however but still getting this error.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to rvacher

‎04-17-2018 12:05 PM

For starters, my mistake since I assumed you were trying MAC auth first but realize you mention NAM and that would explain the username of anonymous as outer identity.

For MAB use case:

  • You must first config Extreme Switch for MAC Auth which seems to be missing from config.  See:
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius/?l=en_US&fs=Re…
  • Remove CHAP if not used.
  • Remove the MAB flow condition for matching username to Calling ID.  By default, Wired MAB flow is at the top of Authentication Policy and should match once make above change. 
  • If properly matching correct flow type for MAB and 1X, then good to go, but if hitting wrong rule, then may need to disable one or change order rule sequence until determine other unique attributes to distinguish MAB vs 1X.

For 1X use case:

Craig

0 Helpful
Customers Also Viewed These Support Documents