MAB Authentication Failing for Client behind IP Phone

Terence Lockette · ‎04-26-2019

Hello all,

My customer has what may be a unique situation for endpoints that are used by guests. We provide housing units for out of town family members of our patients. In these units, we provide both wireless and wired Internet access. We also have Mitel IP phones so they can dial any internal extension as well as make external calls. Our requirement is to allow the DATA domain, which could be any wired device, to go through the hotspot guest flow where they only accept the AUP before getting access to the Internet. The IP phone should not follow this flow but get full network access upon authenticating. However, my phone gets the authz profile I set up for the policy but my PC is failing MAB authentication per the log message on the switch. However, I am grabbing an IP address from DHCP and can ping it from another network based on the firewall rules I have set up but not getting redirected to the hotspot URL. In addition, if I remove the IP phone from the port and just set it up for a single host, I get the redirect URL and can proceed as normal. The issue occurs when I test with an IP phone on the same port. Below is the info I felt would be a good start in pointing me in the right direction:

MAB log:

Apr 26 14:53:10.267: %MAB-5-FAIL: Authentication failed for client (a01d.48b1.0735) on Interface Gi0/2 AuditSessionID 0A6401220000006B1381FB20

Port Config (used for testing the policy):

interface GigabitEthernet0/2
description *** LT22970 ***
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport voice vlan 30
ip device tracking probe count 1
ip device tracking probe interval 30
ip device tracking maximum 2
authentication host-mode multi-domain
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
mab
spanning-tree portfast edge
spanning-tree bpduguard enable
end

IP Phone & Wired Guest Policy:

I'm not sure if it's my port config, the way I have the policies/rules set up in ISE, or a combination of both. Any assistance would be greatly appreciated from the community.

Thanks,

Terence

Terence Lockette · ‎04-26-2019

So I did a bit more digging and adding the following commands to my test port:

authentication event server dead action authorize vlan 30
authentication event server dead action authorize voice

I also disabled the Mitel IP Phone policy and added an AuthZ rule to the Wired Guest Internet Access policy and used the MITEL-ACCESS result profile. Now, I'm authenticating both devices from the same port but my PC on the data domain still isn't getting the redirect URL. Here is the output of the 'sh authentication sessions interface gi0/2 details' command:

sh authentication sessions interface gi0/2 details
Interface: GigabitEthernet0/2
MAC Address: 0800.0f74.846e
IPv6 Address: Unknown
IPv4 Address: 172.30.0.251
User-Name: 08-00-0F-74-84-6E
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172590s
Common Session ID: 0A6401220000008113C60B93
Acct Session ID: 0x000001FA
Handle: 0x0B00005A
Current Policy: POLICY_Gi0/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State

mab Authc Success

----------------------------------------
Interface: GigabitEthernet0/2
MAC Address: a01d.48b1.0735
IPv6 Address: Unknown
IPv4 Address: 192.168.58.106
User-Name: A0-1D-48-B1-07-35
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172590s
Common Session ID: 0A6401220000008013C60A6E
Acct Session ID: 0x000001F9
Handle: 0x09000059
Current Policy: POLICY_Gi0/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
URL Redirect: https://scisepsn.shepctr.org:8443/portal/gateway?sessionId=0A6401220000008013C60A6E&portal=c0e0b6e2-5e14-11e9-88d1-005056b04593&action=cwa&type=drw&token=d2f475af925ed4f2b774e5d953b53978
URL Redirect ACL: WIRED-GUEST-REDIRECT
ACS ACL: xACSACLx-IP-WIRED-GUEST-REDIRECT-DACL-5cc0c194

Method status list:
Method State

mab Authc Success

Any reasons why I'm not getting redirected?

Colby LeMaire · ‎04-26-2019

Since the PC is authorized on the DATA domain and the redirect URL and ACL are assigned to the session, that means that your ISE policy is ok. So now we need to look at why the switch is not redirecting the traffic from the PC. Make sure you have "ip http server" and "ip http secure-server" enabled globally. Also, please post the contents of your redirect ACL and the dACL that is applied to the port. To ensure the dACL is applied properly, copy the results from the "show ip access-list int g0/2" command. It should have entries merged for the phone and the PC.

In general, your redirect ACL should be on the switch and have the following entries at a minimum:

deny udp any any eq domain

deny udp any any eq bootps

deny ip any host <ISE PSN address>

permit ip any any

You can make the ACL more restrictive once you have it working. Keep in mind, the redirect ACL is not a typical security ACL. You are essentially denying redirection and permitting redirection.

HTH,

Colby

Terence Lockette · ‎04-26-2019

Hello Colby,

Both HTTP & HTTPS is enabled globally on the switch already. I also have an SVI on the switch since the client subnet is separated by a firewall. Also, keep in mind that wired redirect works when testing without an IP phone connected to the same port. It's only when I have a phone on the same port that testing fails. I'm also removing the endpoints from ISE to ensure it looks like a brand new endpoint initiating a session.

Here is the redirect ACL on the switch:

Extended IP access list WIRED-GUEST-REDIRECT
    10 deny udp any any eq domain
    20 deny ip any host 10.2.138.252
    30 deny ip any host 10.2.138.253
    40 deny ip any host 10.2.138.254
    50 deny ip any host 10.2.138.255
    60 permit tcp any any eq www (438 matches)
    70 permit tcp any any eq 443 (2174 matches)
    80 permit tcp any any eq 8443
    90 deny ip any any (59 matches)

Here is the dACL:

permit udp any any eq bootps
permit udp any any eq domain
permit ip any 192.168.56.0 255.255.248.0
permit tcp any eq 3389 host 10.100.2.52 <---This is used to RDP to the machines used for testing and will be removed
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any log

The dACL for the Mitel phone is the default PERMIT_ALL_TRAFFIC dACL provided by ISE

Here is the output of the 'show ip access-list int Gi0/2' command:

sh ip access-lists int gi0/2
     permit udp host 192.168.58.106 any eq bootps
     permit udp host 192.168.58.106 any eq domain
     permit ip host 192.168.58.106 any
     permit tcp host 192.168.58.106 eq 3389 host 10.100.2.52
     permit tcp host 192.168.58.106 any eq www
     permit tcp host 192.168.58.106 any eq 443
     permit tcp host 192.168.58.106 any eq 8443
     deny ip host 192.168.58.106 any log
     permit ip host 172.30.0.251 any

Colby LeMaire · ‎04-26-2019

Remove the permit line in your redirect ACL for TCP 8443.

Terence Lockette · ‎04-26-2019

For whatever reason, I can no longer see the content on the community page so I'm restricted to responding via email. It gave a message that the post is marked as spam. I removed the 8443 line from my redirect ACL but still same issue. No redirect to hotspot URL behind Mitel IP phone. My browser responds as if I have no connectivity whatsoever. It doesn't even look like it's attempting to reach the URL.

Terence Lockette · ‎04-26-2019

Ok...I figured out my problem. IT WAS THE FLIPPING LAPTOP I WAS TESTING FROM!!!!

I decided to disable the wired NIC and attempted to browse the Internet from the wifi of the same device but still couldn't get out. I can ping and traceroute but just couldn't browse the Internet. I rebooted the machine and tried my ISE policy again and lo and behold, I got the redirect URL!

Geez!