12-08-2022 06:40 AM
Hello
I have encountered an issue what i believe could be a Switch (2960x) or Cisco ISE problem/bug regarding radius authentication with mac-addresses. We have not put ISE into production for this particular purpose yet so it's still in the lab.
We use active directory as external identity provider in Cisco ISE and we have plenty of mac-based user accounts for printers and phones etc. in the AD. They are stored with the so-called unformatted mac-address format, no hyphens or dots etc. as delimiters.
I have configured our switch with radius-server attribute 31 mac format unformatted to get the Called-station-ID mac-adress unformatted. But when i try to authenticate a printer or whatever i get an ISE error stating that the user or device is not found. And i can see clearly why it doesn't work and that is because ISE queries the AD with the wrong username since it's formatted with hyphens instead of unformatted as i have stated in the attribute 31. It seems that the format is not working.
I now wonder if anyone knows if there might be some bug or similar with the 2960X series switches (15.2.7.E7) not sending the radius-server attribute 31 at all?
Or could it be like Cisco ISE (3.1 P4) does not care about radius-server attribute 31 for some reason?
I've searched a lot about this issue and tested different settings but not found any solution. I know the description about the issue could be more explaining but please let me know if you need more information.
Br Tobias
Solved! Go to Solution.
12-10-2022 03:49 PM
If using the LDAP identity source, the directory organization tab has an option to specify the search MAC address format.
If using AD and if ISE 2.7 Patch 4+, 3.0 Patch 3+, or 3.1+, then you may add a rewrite rule for a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6, due to the bug fix of CSCvx44815.
12-08-2022 04:30 PM
Hi @Tobama
The first thing I would test is a manual authentication lookup in ISE. In other words, you can do a dry-run of what the switch should be doing when it sends the Access-Request,
Go to Administration > Identity Management > External Identities
Under the Active Directory section, select you AD Join Point. Put a tick in any of the joined ISE nodes in the list. Then click Test User.
Enter the MAC address in the format you have stored them in AD. I assume the password is the MAC address? If not, then you can still perform a lookup without password, by selecting the Authentication Type of "Lookup" instead of MS-RPC.
That will test whether ISE can locate those MAC addresses in AD.
ISE will take whatever value is contained in the RADIUS User-Name attribute - and it has to be formatted correctly.
Attribute 31 relates to Calling-Station-ID (attribute 31) and not to the User-Name (attribute 1) - when I tested in IOS-XE 17.6.3 I saw that no matter what I set on the switch, the User-Name was always sent as lowercase, and without any delimiters. But in the ISE Live Logs it shows the username with hyphens.
I can't say that this makes any sense to me - I always relied on the command "radius-server attribute 31 mac format ...." to do its job - but now that I look at it more closely, it seems broken. I've never noticed this because I always use the same recipe:
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 mac format ietf upper-case
When I change the format to anything else, the switch doesn't do anything different.
12-09-2022 03:16 AM
Hi @Arne Bier
I have tested my mac account that is unformatted (ex. 000203d1d2c3 no delimiters and lower case) and with the correct password in the Test user section. It works like expected.
But when i try with the Phone that uses this account in MAB authentication i can see the following in the log files of the ISE and it does not work
11028 Detected Host Lookup UseCase (UserName = Calling-Station-ID)
...
24352 Identity resolution failed - ERROR_NO_SUCH_USER
So ISE uses the Calling-Station-ID as username and queries the Active Directory and it does not work since Calling-Station-ID is formatted with hyphens like 00-02-03-D1-B2-C3
If i change the username in AD to 00-02-03-D1-B2-C3 it works but there have to be some setting in ISE to turn this off or to get attribute 31 to work on the switch.
I have looked into attribute 1 also but it makes no difference either.
I'll continue to scratch my head some more...
12-09-2022 03:19 AM
""Because MAB uses the MAC address as a username and password, make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution prevents other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Optionally, Cisco switches can be configured to perform MAB as EAP-MD5 authentication, in which case the Service-Type attribute is set to 1 (Framed). However, because the MAC address is sent in the clear in Attribute 31 (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password. In addition, because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server is not able to easily differentiate MAB EAP requests from IEEE 802.1X requests.""
12-10-2022 03:49 PM
If using the LDAP identity source, the directory organization tab has an option to specify the search MAC address format.
If using AD and if ISE 2.7 Patch 4+, 3.0 Patch 3+, or 3.1+, then you may add a rewrite rule for a1-a2-a3-a4-a5-a6 to a1a2a3a4a5a6, due to the bug fix of CSCvx44815.
12-11-2022 11:39 PM
Thanks I'll try that.
It looks like it's possible to apply to regular AD external connector as well. As soon as i have progress i post a reply.
12-12-2022 03:43 AM
@hslai your answer was exactly what i was looking for and with the help from CSCvx44815
I could solve the formatting of the variables. But I'll post my solution here as well.
This is what i did enter advanced settings for the Active Directory profile, checked "Apply the Rewrite Rules Below to modify username" added a new row and the following in the fields
If identity matches [x1]-[x2]-[x3]-[x4]-[x5]-[x6] rewrite as [x1][x2][x3][x4][x5][x6]
Deleted all the other rows with rules that was not needed and hit save
Done!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide