Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1486
Views
0
Helpful
3
Replies

ISE MAB is not Triggered for Linux Host

canero
Level 1
Level 1

‎08-15-2013 04:33 AM - edited ‎03-10-2019 08:46 PM

Hello,

We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.

If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.

As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.

  • The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
  • IP device tracking is enabled, but again this did not change anything

Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet  , there may be some

solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,

The port configuration is:

switchport access vlan 98

switchport mode access

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 97

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

!


Thanks in Advance,

Best Regards,



Labels:
0 Helpful
3 Replies 3

Ravi Singh
Level 7
Level 7

‎08-28-2013 06:55 PM

Hello Canero,

I would recommend you to collect the TCP dumps and share with us so that we can check what’s going on and also share which switch you are using.

0 Helpful

canero
Level 1
Level 1
In response to Ravi Singh

‎08-28-2013 11:18 PM

Hi Ravi,

Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).

What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.

As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.

As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.

Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script)  that can be enabled.

Best Regards,

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to canero

‎08-28-2013 11:54 PM

Have you thought about using eem scripting for this scenario? You can try setting a timer so when dot1x fails over to MAB and then mab runs for lets say 30 seconds then the EEM script could remove the 802.1x configuraiton on the port. Once traffic is initiated then the mab configuration can be appied on the port. It is a bit tedious but if configured right could the solution you are looking for.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents