Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
4
Replies

MAB authenticatin using CISCO ISE fails

Go to solution
s_muthukannan
Level 1
Level 1

‎01-08-2019 10:59 PM

Hi All,

I am trying MAB authentication via Cisco ISE ( Virtual machine) and authentication fails.

Setup

 CiscoISE----ISAM 7360---ONT----MAB Client

ISAM - Intelligent Service Access Manager ( Formerly Alcatel-lucent, currently Nokia)

 ONT = Optical network termination unit

MAB client  = Spirent test centre

Cisco ISE version : 2.3.0.298

Product Identifier (PID) :ISE-VM-K9

I have attached the Cisco ISE config done and the wireshark capture from ISE.

Observation

 calling station MAC is being used for authentication. ISAM7360 encodes that in Octet string rather than as ASCII

because of which ISE declares it as failure.Help required

1) How to get the cisco ISE to accept octet format for MAB authentication

2) if it cannot do above is there way for the operator to configure MAB password ( i.e MAC of the device) similar to other User password

Thanks,

S.Muthukannan

tac-case-cfg.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to s_muthukannan

‎01-09-2019 01:07 AM

Do one thing, for mab, the switch sends the mac address in the username,
for example 08cc68e92ef8 which is equivalent to 08:CC:68:E9:2E:F8

Create a mab rule above your general mab rule to match the specific
username and set the action as continue instead of reject. This will allow
this specific endpoint to move to authorization check with failed
authentication.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-08-2019 11:53 PM

Hi,

MAC format is something to be changed from endpoint or ISAM. ISE accept
only Cisco format. I know for example in Hawaui switches you can use
different formats for calling-station-id to match ISE requirement.

I think you need to check it with the provider
0 Helpful

Go to solution
s_muthukannan
Level 1
Level 1
In response to Mohammed al Baqari

‎01-09-2019 12:10 AM

Thanks Mohammed for replying.

ISAM 7360 does encoding to Octet format not the end device. If cisco cannot accept that format.

is it possible to configure password for MAB similar to Local users in cisco ISE

 

Thanks,

S.Muthukannan

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to s_muthukannan

‎01-09-2019 01:07 AM

Do one thing, for mab, the switch sends the mac address in the username,
for example 08cc68e92ef8 which is equivalent to 08:CC:68:E9:2E:F8

Create a mab rule above your general mab rule to match the specific
username and set the action as continue instead of reject. This will allow
this specific endpoint to move to authorization check with failed
authentication.
0 Helpful

Go to solution
s_muthukannan
Level 1
Level 1
In response to Mohammed al Baqari

‎01-09-2019 01:28 AM

I will try that and get back. But still that will not solve my problem as device can fail still get access

 

Thanks,

S.Muthukannan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents