Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3567
Views
0
Helpful
5
Replies

ISE MAB issue

Go to solution
amrelquasaby
Level 1
Level 1

‎10-13-2016 07:50 AM - edited ‎03-11-2019 12:09 AM

Hello,

I am working on site now and I faced aproblem with mac authentication bypass,,

I work on ISE SNS-3415-K9, with version 2.0.0.306, in deployment mode Active/standby, 

The ISE make the profiling through snmp messages and DHCP.

in the most of switches the MAB work properly,

but unfortunately I faced an issue in some switches.

>> the ISE can't discover the mac of some endpoint, then the MAB fail, even I enter the MAC address of the endpoint manually, the MAB failed.

kindly check the following configuration on switch

ip http server
ip http secure-server

ip device tracking

epm logging
logging origin-id ip

dot1x system-auth-control


aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
!
aaa accounting update periodic 5
aaa accounting system default start-stop group radius
!
aaa server radius dynamic-author
client 10.255.255.13 server-key P@ssw0rd
client 10.255.255.14 server-key P@ssw0rd


radius-server attribute 6 on-for-login-auth
no radius-server attribute 8 include-in-access-req
no radius-server attribute 25 access-request include
no radius-server dead-criteria time 120 tries 10

no radius-server key 0 P@ssw0rd
no radius-server host 10.255.255.13 auth-port 1812 acct-port 1813
no radius-server host 10.255.255.14 auth-port 1812 acct-port 1813
no radius-server host 10.255.255.13 test username ise_probe idle-time 30
no radius-server host 10.255.255.14 test username ise_probe idle-time 30

no radius-server vsa send accounting
no radius-server vsa send authentication

no ip radius source-interface vlan300

no dot1x system-auth-control

no logging host 10.255.255.13 transport udp port 20514
logging host 10.255.255.14 transport udp port 20514

snmp-server host 10.255.255.14 version 2c P@ssw0rd
snmp-server host 10.255.255.13 version 2c P@ssw0rd



interface GigabitEthernet0/2

switchport
switchport mode access
authentication host-mode multi-host
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
end

>> Also, when I open the radius log file, a failed authentication message appear even I insert the MAC manually.

Please note the ise probe in the username field 

Kindly check the attached screenshots

Labels:
Preview file
104 KB
Preview file
95 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ahmed
Level 1
Level 1
In response to pieterh

‎10-14-2016 09:25 AM

@pieterh

The No before commands is putted by accident.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
pieterh
VIP
VIP

‎10-14-2016 12:39 AM

where does all those "no" statements come from?????

no radius-server attribute 8 include-in-access-req
no radius-server attribute 25 access-request include
no radius-server dead-criteria time 120 tries 10

no radius-server key 0 P@ssw0rd
no radius-server host 10.255.255.13 auth-port 1812 acct-port 1813
no radius-server host 10.255.255.14 auth-port 1812 acct-port 1813
no radius-server host 10.255.255.13 test username ise_probe idle-time 30
no radius-server host 10.255.255.14 test username ise_probe idle-time 30

no radius-server vsa send accounting
no radius-server vsa send authentication

no ip radius source-interface vlan300

no dot1x system-auth-control

0 Helpful

Go to solution
Ahmed
Level 1
Level 1
In response to pieterh

‎10-14-2016 09:25 AM

@pieterh

The No before commands is putted by accident.

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to Ahmed

‎10-17-2016 07:53 AM

Ok, that's clear

back to the real issue.

your MAC-address is not recognized as MAC address

that's why the MAB rule is not activated, but the default rule

and the default rule checks all users identity stores, not the internal endpoints.

I'm missing some lines in the switch config:

     radius-server attribute 31 mac format ietf

transforms the xxxx.xxxx.xxxx mac adrress to xx-xx-xx-xx-xx-xx format in the radius packet sent from switch to ISE

maybe this helps

radius-server attribute 31 mac format

To configure a nondefault MAC address format in the calling line ID (CLID) of a DHCP accounting packet, use the radius-server attribute 31 mac format command in global configuration mode. To revert to the default MAC address format, use the no form of this command.

radius-server attribute 31 mac format { default | ietf [ lower-case | upper-case ] | unformatted }

no radius-server attribute 31 mac format { default | ietf [ lower-case | upper-case ] | unformatted }

Syntax Description

default

Sets the MAC address format to the default format (for example, aaaa.bbbb.cccc).

ietf

Sets the IETF format for MAC addresses (for example, aa-aa-bb-bb-cc-cc).
0 Helpful

Go to solution
Ahmed
Level 1
Level 1

‎10-14-2016 09:27 AM

Hello Amr,

it seems the identity source sequence which ISE match on it NOT include Internal Endpoints, please double check the identity source sequence which you used for Authenticating users including Internal Endpoints.

0 Helpful

Go to solution
amrelquasaby
Level 1
Level 1
In response to Ahmed

‎10-16-2016 05:34 AM

Ahmed,

Kindly be informed that the authentication policy check for Internal Endpoints only, although the logs file check for All_User_ID_Stores, that is not found in the policy.

Preview file
69 KB
Preview file
94 KB
0 Helpful
Customers Also Viewed These Support Documents