cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9681
Views
0
Helpful
9
Replies

MAB authentication fails

lni1
Level 1
Level 1

Dear Community,

 

We are doing a MAB POC as we speak to enhance our level of port security for exotic non-dot1x devices.

Our testdevice is a IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2).

When booting the device MAB authentication works 100% of time.

When doing a shut/no shut of the network port or removing/inserting the network cable, in most of the cases MAB authentication fails and there is no more mac address of the end device in the mac address table.

The only way to make things work again is a reboot of the device.

 

 interface FastEthernet1/1
description ## Tel + PC dot1x mab ##
switchport access vlan 666
switchport mode access
switchport voice vlan 667
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

 

In attach you can find 2 debug files (debug mab all & debug authentication all)

 

Kind regards,

Lieven Stubbe

Belgian railways

1 Accepted Solution

Accepted Solutions

ldanny
Cisco Employee
Cisco Employee

It sounds as if your hitting a bug on the switch side and this has nothing to do with ISE , especially if you modified your end point to DHCP and suddenly you have a mac entry in your mac table.

 

View solution in original post

9 Replies 9

Jason Kunst
Cisco Employee
Cisco Employee
This looks like a switching issue and nothing to do with ISE. Would recommend querying them as well

your config should be in this order

!

interface FastEthernet1/1
description ## Tel + PC dot1x mab ##
switchport access vlan 666
switchport mode access
switchport voice vlan 667
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication order mab dot1x

authentication event fail next-method  

(optional-command authentication host-mode |single-host|multi-auth)
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

please do not forget to rate.

Already tried to change the authentication order, also tried serveral other options as proposed by the community:

The problem is that when doing a shut/no shut or cable disconnect the switch loses the mac address of the end client and is unable to retrieve it again.

Debug authentication all:

Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link UP
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] No authorized client found in domain [DATA]
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Domain authorized client count: 0
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] No authorized client found in domain [DATA]
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Domain authorized client count: 0
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link UP
Jan 25 08:55:55: AUTH-EVENT: [Fa1/1] Link already UP - ignoring

 

Does end client devices need to meet certain requirements to be able to do MAB? (EAPOL,...). With our laptops/desktops we never experience this  behaviour, it's only with more "exotic" devices our switches seem to lose the MAC address over time

 

Does end client devices need to meet certain requirements to be able to do MAB? (EAPOL,...)

 

why dont you run a packet capture and check if the EAPOL values from the both end.

please do not forget to rate.


We ran a packet capture and saw that the device had a fix Ip

The moment we changed it to DHCP, MAB works.

When we reconnect the cable, a DHCP discover is send out, and the MAC is learned by the switch, which can be used for MAB procedure.

Interesting. so your issue is fixed?

 

 

 

do not forget to rate

please do not forget to rate.

We are running  IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2), if we can't even trust preferred Cisco versions anymore?

Excerpt from the Cisco doc: "During the MAC address learning stage, the switch begins MAB by opening the port to accept a single packet from which it will learn the source MAC address of the endpoint"

So if we do DHCP we see a "DHCP discover" packet, when we do IP fix we see no packets at all, the switch need to have a certain packet from the end device to learn the MAC or are there other options?

 

Kind regards,

Lieven Stubbe

Belgian railways

HI This seems to be a common issue with MAB and "quiet" endpoints espically static endpoint's.. IE endpoints that dont send a lot of traffic hence no mac address on the swtich port hence no auth session.

 

We had this issues and we fixed it by running "authentication control auth direction in" on the swtich port..

 

This allow broadcast,arps etc into the switch port and hence prompting the endpoint to reply and send its source mac to the switch .

ldanny
Cisco Employee
Cisco Employee

It sounds as if your hitting a bug on the switch side and this has nothing to do with ISE , especially if you modified your end point to DHCP and suddenly you have a mac entry in your mac table.