Re: ISE2.3 mab PC authentication fails - SERVER Dead Issue - wired

mannygawadcco · ‎05-01-2018

Hi,

I have a PoC in one of my client, below devices are used;

ISE 2.3v

Catalyst 3750-G (IOS 12.2(55)SE10) and IOS 12.2(55)SE5 --- tried both version but still having the same issue as mentioned below.

I was having an issue in the LAB setup of my ISE (PoC), i can see that my switch is able to get the authorization policy based on the attached debug output but it's not able to enforce the policy or redirection to the interface level. It's showing that "Critical Authorization is in effect for domain(s) DATA" and having full access to network - it is happening on a MAB for PC only (guest PC),

Please note that it was able to get a proper profile for phone, printer & APs. I don't even have an issue with dot1x as it was also working fine.

I just have an issue with a guest PC connecting to wired port.

Please refer to the switch config and debug output for reference.

Anyone can help me please or anyone had the same issue and got fixed.

Thanks,

Rob Ingram · ‎05-01-2018

Hi,
The logs do indicate - "%AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client" - which would mean the radius server is dead.....but then again prior to that you do get an access-accept from the radius server (not sure from the timestamp at what point that was), so the aaa server was previously alive.

If you are seeing "Critical Authorization is in effect for domain(s) DATA" then that would indicate the NAD (the switch) has connectivity issues with the radius server. Run "show aaa server" and see if the radius server is up or dead.

mannygawadcco · ‎05-01-2018

I dont even know the cause of the issue, and if you notice, both radius and nad are in the same vlan.

What could be the issue in this case?

mannygawadcco · ‎05-01-2018

Show aaa servers is showing radius is up!

Rob Ingram · ‎05-01-2018

Ok, I've re-read your original email, you state all other devices are working ok - pc, phones, printers and AP. Correct?

The interface configure for Gi1/0/11 does not have "no authentication open" configured therefore it must be in closed mode. The output from Gi1/0/11 shows dot1x and mab failed, therefore all authentications failed, so therefore no access on that port (because it's in closed mode). So I'd say what you are seeing is the expected result.

If you want some kind of guest access, you'll have to configure an Authorisation rule on the radius server (I assume ISE?) and permit access using mab, perhaps using CWA or return a DACL limiting access

Rob Ingram · ‎05-01-2018

EDIT: duplicate post

mannygawadcco · ‎05-01-2018

Hi,

So you mean that if i make it authentication close, i will not be experiencing server dead for mab?

Rob Ingram · ‎05-02-2018

Actually I'd expect "Access-Reject" sent from radius when you fail dot1x and mab, I can't see that in the output you attached, I would not have expected to see the Critical Auth VLAN.

To answer your question "authentication event server dead action" is used when the aaa server is "dead" and not responding, to authorise existing/new sessions into the vlan configured.

Have a look at this page (although it is for 3750 v15.x) it has instructions on for Guest VLAN, although it might just be simplier to authorise the guest on the radius server.