MAB Auth but no mac address-table entry

DummyCisco · ‎04-11-2024

Hello Cisco Community,

I'm pretty new to the ISE and die Cisco Catalyst Center so please don't judge me if this is a dump ass question. I want to authenticate a device by MAB (MAC-Bypass). When I connect the device via cable to my switch I get the status that something is connected to the switchport and the speed is also shown. I also have an Link on the device and the switchport, so the cable is not the problem, even tho I switched it twice.

My Problem is that I get no MAC-Address of the connected device. It is a pretty cheap Sensor with a RJ45 Connector but this Sensor is essential for my Project. I think that I have no traffic because why should I. The Sensor is just doing its thing. The Sensor has no possible way to send Information like NTP, SMTP or any other service over the Web-UI. I can just simple change the IP settings of it. When I try following command I get no MAC-Address of the device which is connected to the switch.

show mac address-table interface <connected-interface>

Is there a possible way to send traffic over the switchport to the connected sensor and get a message back, including its MAC-Address?

Thanks in advance.

MHM Cisco World · ‎04-11-2024

Show authentication session interface x/x detail

Share this

MHM

DummyCisco · ‎04-11-2024

Will give an update when I'm on the switch

ahollifield · ‎04-11-2024

Do you have wired authentication enabled on the port? What is the switch? What version of ISE? What do the ISE logs say? What does the switchport configuration look like? What does "show authentication session" look like?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

DummyCisco · ‎04-11-2024

Yes I have wired authentication enabled on the port. Every other Device is fine, except the sensor. I have an Cisco Catalyst 9200L. The ISE can says nothing because the switch doesnt communicate with the ise because, there is so mac to give the ISE.
I give an update of my switchport config soon, but I'm not home right now, so i can't give you any info about that, sorry

I know I run the latest recommended Version of IOS on the switch and ISE should be v14.5 if I'm not wrong.

DummyCisco · ‎04-11-2024

Sry v14.5 is totaly wrong. I give an update later

ahollifield · ‎04-11-2024

I have seen some devices that their network stack will completely fail if it receives an EAPoL packet from the switch. What if you only enable MAB and not 802.1X on the port? What happens if you completely remove the authentication commands from the port?

Aref Alsouqi · ‎04-15-2024

The switch needs to learn the MAC address of the connected device. Usually this happens in phase 2 (MAC Address Learning) and during this phase the switch opens the port to accept a single packet and then once the MAC address is learned that packet or frame will be discarded. After that the switch will generate a RADIUS Access-Request packet and will send it to ISE with the device MAC address as the username (Attribute 1), password (Attribute 2), and the calling station ID (Attribute 31).

If the connected device does not send any frame or packet the switch won't be able to learn its MAC address so all the authentication process will be broken. However, if the sensor can receive any traffic from somewhere on the network to trigger a response back to the sender then I think you can add the command "authentication control-direction in" to the switch port where it's connected. This command will allow the traffic sent to the sensor to be delivered without any authentication checks and because it would trigger a response from the sensor the switch will then learn its MAC address and go through the authentication process.