Solved: Re: MAB auth with voice vlan not working on 3750

msompong1 · ‎05-22-2020

Hi All,

I've the problem below. If someone have an idea please kindly share.

I've setup the MAB on Cisco switch 3750 IOS 12.2(55)SE12 and ISE 2.3 , After connect the IP phone can work as expected but for 1-2 hour(random time) IP phone cannot communicate after checked with show interface status it showed port is connected but the port is assigned to VLAN1 , Then I've use debug command and see the switch port tried to authenticate with ISE as below

Debug showed below

May 22 13:44:14.978: %AUTHMGR-5-START: Starting 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008703504F97
May 22 13:44:14.987: %MAB-5-FAIL: Authentication failed for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008703504F97May 22 13:44:14.987: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008703504F97
May 22 13:44:14.987: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008703504F97
May 22 13:44:14.987: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008703504F97

After that I'm tried to shoutdown/no shutdown port the debug still show the AUTHMGR-7-FAILOVER and AUTHMGR-7-NOMOREMETHODS but the IP Phone can connect to the Voice VLAN

Debug showed below

May 22 13:56:15.971: %AUTHMGR-5-START: Starting 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008B03666DE
7
May 22 13:56:15.979: %MAB-5-FAIL: Authentication failed for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008B03666
DE7
May 22 13:56:15.979: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 Audit
SessionID 0AC4485E0000008B03666DE7
May 22 13:56:15.979: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E000
0008B03666DE7
May 22 13:56:15.979: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSes
sionID 0AC4485E0000008B03666DE7
May 22 13:56:15.979: %AUTHMGR-5-FAIL: Authorization failed for client (0004.f24d.8b79) on Interface Fa1/0/5 AuditSessionID 0AC4485E0000008B03
666DE7

interface command

interface FastEthernet1/0/5
switchport mode access
switchport voice vlan 104
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end

My question is why it intermittent does it relate with switch configuration ? and How can to resolve ?

msompong1 · ‎05-29-2020

Finally I think the problem has been resolved.

With create the authorize provide and policy for the IP Phone MAC address.

View solution in original post

marce1000 · ‎05-22-2020

- What's in the ISE-(auth)-logs , when this happens ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

msompong1 · ‎05-22-2020

Hi marce1000 ,

Thank you for your reply.The ISE log showed as below.

marce1000 · ‎05-22-2020

- Check if this thread can help you :

https://community.cisco.com/t5/network-access-control/ise-and-failed-authentications-conducted-by-endpoints/td-p/2971530

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

msompong1 · ‎05-23-2020

Hi merce1000,

Thank you for your advises, But unfortunately my ISE not configure for the clients suppression.

Still looking for any possible root cause.

Mike.Cifelli · ‎05-26-2020

Can you share from the switch a #show auth session interface Fa1/0/5 detail after a successful auth before the issue occurs. Are you pushing down a reauth timer to interface? Also, your ISE detailed radius log shows that the authz is matching on Deny Access (see step 15016). Ensure that the conditions are being hit/matched properly. Maybe try to start with less conditions and work your way up to ensure it is working as expected each time. HTH!

msompong1 · ‎05-26-2020

Hi Mike,

Thank you for your comment.

Below is show auth session

SW-B9-C2-G09-04#show auth session interface F1/0/5
Interface: FastEthernet1/0/5
MAC Address: 0004.f24d.8b79
IP Address: Unknown
User-Name: 0004f24d8b79
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC4485E000000BB09B9FCC1
Acct Session ID: 0x000000F0
Handle: 0x170000BB

Runnable methods list:
Method State
mab Failed over

Below is running config of int f1/0/5

Current configuration : 181 bytes
!
interface FastEthernet1/0/5
switchport mode access
switchport voice vlan 104
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end

The last ISE rule is Deny Access

msompong1 · ‎05-29-2020

Finally I think the problem has been resolved.

With create the authorize provide and policy for the IP Phone MAC address.