01-13-2014 01:49 AM - edited 03-10-2019 09:16 PM
Hi All,
I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.
I tried using the following solution as well,
https://supportforums.cisco.com/thread/2015988
it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.
Can someone exactly confirm whats the issue over here and how to resolve?
My config on port is as follows,
!
int ten1/1/9
switchport mode access
authentication host-mode single-host
authentication port-control auto
authentication violation restrict
authentication control-direction in
mab
!
Regards,
01-13-2014 05:06 PM
what does the show auth session interface int ten 1/1/9 look like when the port is authorized?
Does an IP address show up in the output?
01-13-2014 07:30 PM
Hi Robert,
No, its not showing any IP , the status looks like as follows,
sh authentication sessions interface gi2/0/46
                    Interface:  GigabitEthernet2/0/46
              AC Address:  0050.c2a8.0ffb
                IP Address:  Unknown
                User-Name:  00-50-C2-A8-0F-FB
                        Status:  Authz Success
                      Domain:  DATA
        Oper host mode:  single-host
          Oper control dir:  in
             Authorized By:  Authentication Server
                  Vlan Policy:  N/A
                    ACS ACL:  xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
          Session timeout:  N/A
                   Idle timeout:  N/A
   Common Session ID:  0AA000390000002A12EFCB63
      Acct Session ID:  0x00000197
               Handle:  0xA600002B
Runnable methods list:
       Method   State
       mab      Authc Success
Regards
Hammad
 
					
				
		
01-13-2014 07:51 PM
Can you paste a show access-list xACSACLx-IP-SSH-PERMIT-ALL-5270ce52 or what ever the current dACL that is applied when you first get authenticated?
01-13-2014 08:07 PM
Hi Bruce,
My DAcl is like this,
!
permit ip any any
!
 
					
				
		
01-13-2014 08:17 PM
So the switch will take the learned IP address and modify the dACL applied with the new IP address learned from the port. If it doesn't learn an IP, then it can't modify the dACL. I think if your dACL is truely "permit ip any any" then it should work. You might try to add "permit icmp any any" to the dACL, if ping is what you are looking for. Also, is the end device learning it's IP address from DHCP or is it static?
01-13-2014 09:23 PM
Hi Bruce,
Its static, actually this is where from the orignal problem initiated. Coz of static IP the MAB was not getting initialized and so I have to use the command,
"authentication control-direction in".
But still not able to ping.
03-11-2014 09:42 PM
Hi Team,
I have manage to put the above mention commands " ip device tracking probe use-svi" and it is working for some devices/ports. But on other occassions it is not working.
It works after I tried to remove it then re-add the MAB commands and shut /unshut port several times and then try to ping simultaneously.
The difference I can see is that when it correctly accept the device , in ACS monitoring I can see the entries for both Authentication and ACL while otherwise only Authentication entry is there. Kindly see the attached pic here.
I want to know what is causing ACS to stop the ACL entry on occasions?
Also in 2nd attachment (it is for successful auth) you can see the below output which should not be there by right? is it something to do with my MAB issue as well?
"24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory"
Regards,
hammad
03-13-2014 01:24 AM
Hi Team,
Can anyone of the Guru's help? :)
Regards
Hammad
 
					
				
		
01-13-2014 08:22 PM
DO you have "IP device tracking" enabled on the switch?
01-13-2014 09:23 PM
No we dont have this command on switch.
 
					
				
		
01-13-2014 09:44 PM
I would add it and try. The reference below is for webauth but since cwa is really MAB, it still applies.
Note  By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
• ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.
• Dynamic ARP inspection
Dynamic ARP inspection
• DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.
DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.
02-12-2014 08:36 PM
Hi Bruce,
I have tried with adding in the command "IP device tracking", but still not getting authentication.
Is there any other alternative for this?
Regards,
Hammad Raza
02-16-2014 11:55 PM
Hi Team,
I have tried with adding in the command "IP device tracking", but still not getting MAB initiated when port comes up.
Is there any other alternative for this? or any technical docment specifically referring this kind of issues?
Regards,
02-17-2014 02:06 PM
With "IP device tracking" configured, add the following command to the switch:
ip device tracking probe use-svi
bounce the port and issue a 'show ip device track interface gi2/0/46'
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide