Solved: ISE Authentication failed - Extreme

rvacher · ‎04-17-2018

Hi all,

I am working on an important POV but we are facing one issues with Extreme Networks switches which is the following :

This is how the NAD is configured :

We tried different devices, the session of those sessions are terminated in the Live Logs.

The endpoint use NAM and has been tested working fine on other switches with 802.1X

Attached the config on the switch.

We need to close this POV on Friday and this is an important part of it, your inputs are more than welcome

Thanks

Craig Hyps · ‎04-17-2018

The issue is typically in NAD Profile under the Host Lookup settings. One EXOS reference indicates that PAP is required protocol. Another item to investigate is Policy > Policy Elements > Results > Authentication > Allowed Protocols and the use of Message Authenticator (at bottom).

Another issue is that current flow matches are not distinct enough to separate 802.1X from MAB flow. In your screenshot above, the username was anonymous but Calling ID is MAC. Need to make sure matching MAB flow.

View solution in original post

Timothy Abbott · ‎04-17-2018

Are you able to see what the RADIUS service-type is? I'm wondering if it is not matching because of the service-type value sent from the switch to ISE.

Regards,

-Tim

rvacher · ‎04-17-2018

Hi Tim,

The service-type is Login. This is what is configured in the NAD and also what we receive from the RADIUS request (see screenshot)

Remi

Craig Hyps · ‎04-17-2018

The issue is typically in NAD Profile under the Host Lookup settings. One EXOS reference indicates that PAP is required protocol. Another item to investigate is Policy > Policy Elements > Results > Authentication > Allowed Protocols and the use of Message Authenticator (at bottom).

Another issue is that current flow matches are not distinct enough to separate 802.1X from MAB flow. In your screenshot above, the username was anonymous but Calling ID is MAC. Need to make sure matching MAB flow.

rvacher · ‎04-17-2018

Thanks Craig. This is how the NAD is configured with PAP activated.

I'll try tomorrow to activate Message Authenticator.

For the flow, yes for MAB it is not matching. Not sure so far how can I distinguish them.

For 802.1X it should match however but still getting this error.

Craig Hyps · ‎04-17-2018

For starters, my mistake since I assumed you were trying MAC auth first but realize you mention NAM and that would explain the username of anonymous as outer identity.

For MAB use case:

You must first config Extreme Switch for MAC Auth which seems to be missing from config. See:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-Radius/?l=en_US&fs=Re…
Remove CHAP if not used.
Remove the MAB flow condition for matching username to Calling ID. By default, Wired MAB flow is at the top of Authentication Policy and should match once make above change.
If properly matching correct flow type for MAB and 1X, then good to go, but if hitting wrong rule, then may need to disable one or change order rule sequence until determine other unique attributes to distinguish MAB vs 1X.

For 1X use case:

See https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-with-Radius-on-EXOS/?l=…
Make sure ISE Allowed Protocols are set to match EAP protocol used by Extreme.
Make sure correct NAD profile is being selected and applied to Authorization Profile and that profile is applied to the matching AuthZ Policy Rule.
If having issues with NAM, try native supplicant.

Craig