03-30-2018 09:15 AM - edited 02-21-2020 10:52 AM
I have installed Cisco ISE 3515 as a AAA dot1x server and I configured MAB and Dot1x to authentication for endpoint. I integrated ISE with my AD. I got an error which our endpoint cannot MAB authenticate with my Cisco ISE. My endpoint is Window 10 and using static IP address assigning. Please kindly see the ISE configuration and error screenshot as attach files. Please see the switch configuration as below:
aaa server radius dynamic-author
client 10.24.64.50 server-key SeCrEt
auth-type any
aaa group server radius ise-group
server name ise
radius server ise
address ipv4 10.24.64.50 auth-port 1812 acct-port 1813
key SeCrEt
ip http server
ip http secure-server
aaa new-model
aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 2440
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting system default start-stop group ise-group
snmp-server community SeCrEt RO
snmp-server trap-source Vlan995
snmp-server source-interface informs Vlan955
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.24.64.50 SeCrEt
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
ip radius source-interface vlan995
dot1x system-auth-control
dot1x critical eapol
authentication critical recovery delay 1000
interface GigabitEthernet1/0/15
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
ip device tracking probe auto-source override
ip device tracking probe delay 10
ip device tracking
logging trap debugging
logging origin-id ip
logging source-interface Vlan995
logging monitor informational
logging host 10.24.64.50 transport udp port 20514
mac address-table notification change
mac address-table notification mac-move
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 10.24.64.31
permit ip any host 10.24.64.33
permit ip any host 10.20.64.50
deny ip any any
ip access-list extended GUEST-REDIRECT
deny udp any any eq domain
deny icmp any any
deny udp any eq bootpc any eq bootps
deny tcp any any eq 8443
deny tcp any any eq 8905
deny ip any any
03-30-2018 09:55 AM
Hi,
From your configuration output it doesn't look like mab is configured under the interface, try this:
interface GigabitEthernet1/0/15
mab
If that doesn't work, please provide output from the switch:
show authentication session interface Gig 1/0/15 detail
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide