cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1114
Views
0
Helpful
4
Replies

MAB authenticatin using CISCO ISE fails

s_muthukannan
Level 1
Level 1

Hi All,

I am trying MAB authentication via Cisco ISE ( Virtual machine) and authentication fails.

Setup

 CiscoISE----ISAM 7360---ONT----MAB Client

ISAM - Intelligent Service Access Manager ( Formerly Alcatel-lucent, currently Nokia)

 ONT = Optical network termination unit

MAB client  = Spirent test centre

Cisco ISE version : 2.3.0.298

Product Identifier (PID) :ISE-VM-K9

I have attached the Cisco ISE config done and the wireshark capture from ISE.

Observation

 calling station MAC is being used for authentication. ISAM7360 encodes that in Octet string rather than as ASCII

because of which ISE declares it as failure.Help required

1) How to get the cisco ISE to accept octet format for MAB authentication

2) if it cannot do above is there way for the operator to configure MAB password ( i.e MAC of the device) similar to other User password

Thanks,

S.Muthukannan

1 Accepted Solution

Accepted Solutions

Do one thing, for mab, the switch sends the mac address in the username,
for example 08cc68e92ef8 which is equivalent to 08:CC:68:E9:2E:F8

Create a mab rule above your general mab rule to match the specific
username and set the action as continue instead of reject. This will allow
this specific endpoint to move to authorization check with failed
authentication.

View solution in original post

4 Replies 4

Hi,

MAC format is something to be changed from endpoint or ISAM. ISE accept
only Cisco format. I know for example in Hawaui switches you can use
different formats for calling-station-id to match ISE requirement.

I think you need to check it with the provider

Thanks Mohammed for replying.

ISAM 7360 does encoding to Octet format not the end device. If cisco cannot accept that format.

is it possible to configure password for MAB similar to Local users in cisco ISE

 

Thanks,

S.Muthukannan

Do one thing, for mab, the switch sends the mac address in the username,
for example 08cc68e92ef8 which is equivalent to 08:CC:68:E9:2E:F8

Create a mab rule above your general mab rule to match the specific
username and set the action as continue instead of reject. This will allow
this specific endpoint to move to authorization check with failed
authentication.

I will try that and get back. But still that will not solve my problem as device can fail still get access

 

Thanks,

S.Muthukannan