MAB and dhcp timing out

RICHARD MASSELLE · ‎07-23-2012

We are implementing ISE with MAB for printers and although we are successfully authenticating and passing correct Vlan for printers we are not able to get DHCP address. I suspect we are timing out while doing authentication , before we are able to get dhcp address. Has anyone done this successfuly? I would appreciate configuration help if you are doing this successfully. We have cisco 4500s running version 15 xe IOS, and ISE version 1.1

Tarik Admani · ‎07-23-2012

Can you please post your port configuration?

thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-23-2012

Sure:

interface GigabitEthernet2/1

description host port with IP phone

switchport access vlan 116

switchport mode access

switchport voice vlan 103

authentication event fail action next-method

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 30

authentication timer reauthenticate 1200

authentication timer inactivity 600

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout quiet-period 5

qos trust device cisco-phone

spanning-tree portfast

spanning-tree guard root

Tarik Admani · ‎07-23-2012

Richard,

You have two options

Please change the command:

"authentication priority dot1x mab"

to

"authentication priority mab dot1x"

2. You can speed up the dot1x timeout values

"dot1x timeout tx-period nn=seconds default is 30"

"dot1x max-reauth-req by default the switch sends reauth 2 times to the client before moving on"

In your scenario it takes around 60 seconds before the mab process starts.

Hope this helps,

Here is the link to the command reference guide - http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/command/reference/ch2a_ins.html

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-23-2012

Thanks for reply , I actually already tried that , but still not getting IP address from DHCP server..

Here is sample of output from cisco swicth..

sho auth sess int gi2/1

Interface: GigabitEthernet2/1

MAC Address: 009c.0207.4929

IP Address: Unknown

User-Name: 00-9C-02-07-49-29

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: 3600s (local), Remaining: 3581s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: 0AA8FF4E00007BD93D354324

Acct Session ID: 0x00007BF8

Handle: 0x60000D82

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

Tarik Admani · ‎07-23-2012

Richard,

Can you post the output of the debug radius authentication? Also you are using dynamic vlan assignment or is the client being placed on vlan 116 after authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-23-2012

Client is being placed on vlan 113 our printer vlan...(but no IP address)

Here is debug output..

Jul 23 17:11:06: %AUTHMGR-5-START: Starting 'mab' for client (009c.0207.4929) on Interface Gi2/1 AuditSessionID 0AA8FF4E00007BDA3D4F4998

Jul 23 17:11:06.052: RADIUS/ENCODE(00007C05):Orig. component type = Dot1X

Jul 23 17:11:06.052: RADIUS(00007C05): Config NAS IP: 10.169.254.54

Jul 23 17:11:06.052: RADIUS(00007C05): Config NAS IPv6: ::

Jul 23 17:11:06.052: RADIUS/ENCODE(00007C05): acct_session_id: 31738

Jul 23 17:11:06.052: RADIUS(00007C05): sending

Jul 23 17:11:06.052: RADIUS(00007C05): Sending a IPv4 Radius Packet

Jul 23 17:11:06.052: RADIUS(00007C05): Send Access-Request to 10.168.248.40:1812 id 1645/223, len 240

Jul 23 17:11:06.052: RADIUS: authenticator 99 FD 14 89 E7 62 CB 85 - 2C 64 39 5B 17 71 0C A1

Jul 23 17:11:06.052: RADIUS: User-Name [1] 14 "009c02074929"

Jul 23 17:11:06.052: RADIUS: User-Password [2] 18 *

Jul 23 17:11:06.052: RADIUS: Service-Type [6] 6 Call Check [10]

Jul 23 17:11:06.052: RADIUS: Vendor, Cisco [26] 31

Jul 23 17:11:06.052: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"

Jul 23 17:11:06.052: RADIUS: Framed-MTU [12] 6 1500

Jul 23 17:11:06.052: RADIUS: Called-Station-Id [30] 19 "28-94-0F-F2-04-F0"

Jul 23 17:11:06.052: RADIUS: Calling-Station-Id [31] 19 "00-9C-02-07-49-29"

Jul 23 17:11:06.052: RADIUS: Message-Authenticato[80] 18

Jul 23 17:11:06.052: RADIUS: 5A A0 F4 49 F7 99 E5 20 BD 96 2C 44 7B 71 B6 82 [ ZI ,D{q]

Jul 23 17:11:06.052: RADIUS: EAP-Key-Name [102] 2 *

Jul 23 17:11:06.052: RADIUS: Vendor, Cisco [26] 49

Jul 23 17:11:06.052: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AA8FF4E00007BDA3D4F4998"

Jul 23 17:11:06.052: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

Jul 23 17:11:06.053: RADIUS: NAS-Port [5] 6 50201

Jul 23 17:11:06.053: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet2/1"

Jul 23 17:11:06.053: RADIUS: NAS-IP-Address [4] 6 10.169.254.54

Jul 23 17:11:06.053: RADIUS(00007C05): Started 5 sec timeout

Jul 23 17:11:06.061: RADIUS: Received from id 1645/223 10.168.248.40:1812, Access-Accept, len 293

Jul 23 17:11:06.061: RADIUS: authenticator 5C A5 47 34 96 B7 E2 64 - D2 D8 CE C4 7A 69 53 E4

Jul 23 17:11:06.061: RADIUS: User-Name [1] 19 "00-9C-02-07-49-29"

Jul 23 17:11:06.061: RADIUS: State [24] 40

Jul 23 17:11:06.061: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]

Jul 23 17:11:06.061: RADIUS: 41 38 46 46 34 45 30 30 30 30 37 42 44 41 33 44 [A8FF4E00007BDA3D]

Jul 23 17:11:06.061: RADIUS: 34 46 34 39 39 38 [ 4F4998]

Jul 23 17:11:06.061: RADIUS: Class [25] 56

Jul 23 17:11:06.061: RADIUS: 43 41 43 53 3A 30 41 41 38 46 46 34 45 30 30 30 [CACS:0AA8FF4E000]

Jul 23 17:11:06.061: RADIUS: 30 37 42 44 41 33 44 34 46 34 39 39 38 3A 67 77 [07BDA3D4F4998:gw]

Jul 23 17:11:06.061: RADIUS: 64 69 73 65 31 2F 31 33 30 38 37 31 34 38 33 2F [dise1/130871483/]

Jul 23 17:11:06.061: RADIUS: 32 37 31 36 35 31 [ 271651]

Jul 23 17:11:06.061: RADIUS: Termination-Action [29] 6 1

Jul 23 17:11:06.061: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

Jul 23 17:11:06.061: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

Jul 23 17:11:06.061: RADIUS: Message-Authenticato[80] 18

Jul 23 17:11:06.061: RADIUS: 35 48 50 0C 1C 8C 16 02 32 7C FD 99 03 2B 73 DA [ 5HP2|+s]

Jul 23 17:11:06.061: RADIUS: Tunnel-Private-Group[81] 6 01:"113"

Jul 23 17:11:06.061: RADIUS: Vendor, Cisco [26] 75

Jul 23 17:11:06.061: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f57e406"

Jul 23 17:11:06.061: RADIUS: Vendor, Cisco [26] 41

Jul 23 17:11:06.061: RADIUS: Cisco AVpair [1] 35 "profile-name=HP-JetDirect-Printer"

Jul 23 17:11:06.061: RADIUS(00007C05): Received from id 1645/223

Jul 23 17:11:06.061: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

Jul 23 17:11:06: %MAB-5-SUCCESS: Authentication successful for client (009c.0207.4929) on Interface Gi2/1 AuditSessionID 0AA8FF4E00007BDA3D4F4998

Jul 23 17:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (009c.0207.4929) on Interface Gi2/1 AuditSessionID 0AA8FF4E00007BDA3D4F4998

Jul 23 17:11:06: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (009c.0207.4929) on Interface Gi2/1 AuditSessionID 0AA8FF4E00007BDA3D4F4998

Tarik Admani · ‎07-23-2012

Richard,

Can you please issue the show mac add int gig 2/1? If you place this port in vlan 113 and remove the "authentication port-control auto" (this disables dot1x) and does the client get the correct ip address? If not, does the svi for vlan 113 have the ip helper statements configured?

Thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-23-2012

It is the mac address that you see in debug. I do have ip helper-address of both DHCP server and ISE server.

Tarik Admani · ‎07-23-2012

I understand, but i wanted to see if it was on vlan 113, if this is the case then try to disable dot1x on this port, and set the port to vlan 113 and see if the client gets an ip address, I would like to see if there isnt anything wrong with the dhcp server config or the communcation from the client to the dhcp server without dot1x in the middle.

Thanks,

Tarik Admani
*Please rate helpful posts*

RICHARD MASSELLE · ‎07-24-2012

Yes , we have many different vlan in the switches and have tested all of them individually to test the scopes and they all work.. I really think it is a timing issue with DHCP, and I have made changes such as auth order and priority putting MAB first. I also changed timing paramaters you suggested. This is a remote site and I have been toggling port, and/or clearing auth sess on interface to test. I wonder if the printer needs to be powered off/on for results i.e. in odrder to request dhcp address and not be an exponential backoff scenario? Do you know if anyone has a sample configuration that is from working model with the scenario we have i.e. using MAB for printers?

Thanks for your replies.

Rick Masselle

Tarik Admani · ‎07-24-2012

There is no special configuration for printers, when you tried to test did you ever shutdown the port? Did you try to remove the dot1x configuration or turn off dot1x like a suggested? The point of these tests is to prove that the printer is able to pull an ip address once the link comes up. Also if you are deploying ISE here is reference guide that Cisco has come up in order to deploy ISE for wired ports. Let me know if that clears up your issue.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sw_cnfg.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Jim Thomas · ‎07-25-2012

Sounds like there are two things going on here from what I scanned through. The helper-address configuration should point to ISE and the DHCP probe turned on. You should be able to confirm that the DHCP packets are being sent from the switch by doing a debug dhcp packet (I believe its packet but you can use the ?). If you do not see anything related to the MAC of the printer in the debugs then your printer is using a static IP. If you are trying to see what the IP address is thats assigned to the printer form the switch then you were correct in using the show authentication session int x/y . If the IP address is not seen its usually 1 of 3 things. The ip device tracking command needs to be there for the switch to learn the IP of the endpoint. The second is that the pre-authentication ACL (if there is one) needs to permit dhcp requests for "low impact mode" which it doesnt look you have configured. The 3rd thing is that the printer needs to send a packet into the switchport in order for the switch to learn its IP and for you to see it in the output. I know it sounds basic but I've had people pulling their hair out on why the IP wasnt showing and as soon as the endpoint shot out a packet, the field populated.

I'd start with the debug on the dhcp packets to see if the mac is listed in the output.

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

RICHARD MASSELLE · ‎07-25-2012

Thanks for your reply..We do have ip device tracking on. We do have acl to permit all. We do have vlan ip helper-addresses point to DHCP server and ISE server. I am in the process of verifying basic DHCP capability. It is a remote site and I need to work with someone there so it takes time :-) We do have a couple of printers seemingly working and I am yet unable to track down differences yet, but the basic DHCP funtionality certainly seems to be a good first step.. I update post when I know more..Again thanks for your response..

Rick Masselle

Network Manager

Connecticut State Colleges and Universities (ConnSCU)

Board of Regents for Higher Education

Phone (860)493-0127

Email masseller@ct.edu

RICHARD MASSELLE · ‎07-26-2012

To update. I stripped down the port configuration to only include the printer Vlan adn I did indeed get a DHCP address as expected. I put total configuration back on and sure enough received an IP address in switchport access Vlan. I changed switchport access Vlan to be that of printer Vlan and received an address in the printer Vlan. It would seem as though even though ISE authebtication is reporting it is sending printer Vlan id to switch, the switch port never gets updated with the new Vlan. The rest of the ISE configuration works okay i.e. 8021x using PC supplicant switches vlans and gets correct IP address, IP phone using MAB also gets corretc vlan and IP ( Using voice vlan on switch), but using MAB for printers although authentication works , still doesn't get correct vlan ip address. Any other thoughts? It is remote site but maybe a sniffer trace is in order to see if vlan id is actually sent to switch?