Re: ISE MAB Authentication Failed

PutmanoAIT · ‎03-30-2018

I have installed Cisco ISE 3515 as a AAA dot1x server and I configured MAB and Dot1x to authentication for endpoint. I integrated ISE with my AD. I got an error which our endpoint cannot MAB authenticate with my Cisco ISE. My endpoint is Window 10 and using static IP address assigning. Please kindly see the ISE configuration and error screenshot as attach files. Please see the switch configuration as below:

aaa server radius dynamic-author
client 10.24.64.50 server-key SeCrEt
auth-type any

aaa group server radius ise-group
server name ise

radius server ise
address ipv4 10.24.64.50 auth-port 1812 acct-port 1813
key SeCrEt

ip http server
ip http secure-server

aaa new-model
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 2440
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting system default start-stop group ise-group

snmp-server community SeCrEt RO
snmp-server trap-source Vlan995
snmp-server source-interface informs Vlan955
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.24.64.50 SeCrEt

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
ip radius source-interface vlan995

dot1x system-auth-control
dot1x critical eapol
authentication critical recovery delay 1000

interface GigabitEthernet1/0/15
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10

ip device tracking probe auto-source override
ip device tracking probe delay 10
ip device tracking

logging trap debugging
logging origin-id ip
logging source-interface Vlan995
logging monitor informational
logging host 10.24.64.50 transport udp port 20514

mac address-table notification change
mac address-table notification mac-move

ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 10.24.64.31
permit ip any host 10.24.64.33
permit ip any host 10.20.64.50
deny ip any any

ip access-list extended GUEST-REDIRECT
deny udp any any eq domain
deny icmp any any
deny udp any eq bootpc any eq bootps
deny tcp any any eq 8443
deny tcp any any eq 8905
deny ip any any

Rob Ingram · ‎03-30-2018

Hi,

From your configuration output it doesn't look like mab is configured under the interface, try this:

interface GigabitEthernet1/0/15

mab

If that doesn't work, please provide output from the switch:

show authentication session interface Gig 1/0/15 detail

HTH