MAB authentication keeps failing after Dot1x succeeds

antonioyan99 · ‎03-17-2019

Hi Cisco ISE guru,

I have a weird scenario, after deploying about 700 endpoints in Enforcement(low impact) mode, some of the endpoints (so far 3 reported) ran into a scenario that the MAB auth keeps failing every 30 seconds even if the Dot1x passes the auth/authorization, which causes the endpoint gets denied access to the network.

Other endpoints will do dot1x and MAB the same time, but after dot1x passes, MAB fails, the Dot1x takes presidence and end points get access to network, and MAB won't start again, only these 3 endpoints have this issue.

The configurations are the same on every switch port.

Does anyone happen to know what causes this issue and how to fix?

thanks.

antonioyan99 · ‎03-17-2019

Here is the global config and port level config:

policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 terminate dot1x
50 terminate mab
60 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_VLAN do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_VLAN do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!

###switch port configuration
interface range gi1/0/1 - 46

device-tracking attach-policy otppipdt_policy
ip access-group Pre-Auth-ACL in
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy type control subscriber DOT1X-DEFAULT

paul · ‎03-18-2019

Unless you are absolutely doing no profiling you should never have a MAB failure. Your default rule for MAB should be access-accept with a limited access DACL allowing access to the ISE PSNs for profiling. In over 100 ISE deployments since 1.0 I have never (nor will I ever) issue an access-reject in a MAB rule. I am not sure that would solve your problem, but it may help.