cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8062
Views
5
Helpful
17
Replies

MAB Authentication with no response

shrazar85
Level 1
Level 1

Hi All,

I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.

I tried using the following solution as well,

https://supportforums.cisco.com/thread/2015988

it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.

Can someone exactly confirm whats the issue over here and how to resolve?

My config on port is as follows,

!

int ten1/1/9

switchport mode access

authentication host-mode single-host

authentication port-control auto

authentication violation restrict

authentication control-direction in

mab

!

Regards,


17 Replies 17

Robert Salazar
Cisco Employee
Cisco Employee

what does the show auth session interface int ten 1/1/9 look like when the port is authorized?

Does an IP address show up in the output?

Hi Robert,

No, its not showing any IP , the status looks like as follows,

sh authentication sessions interface gi2/0/46

                    Interface:  GigabitEthernet2/0/46
              AC Address:  0050.c2a8.0ffb
                IP Address:  Unknown
                User-Name:  00-50-C2-A8-0F-FB
                        Status:  Authz Success
                      Domain:  DATA
        Oper host mode:  single-host
          Oper control dir:  in
             Authorized By:  Authentication Server
                  Vlan Policy:  N/A
                    ACS ACL:  xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
          Session timeout:  N/A
                   Idle timeout:  N/A
   Common Session ID:  0AA000390000002A12EFCB63
      Acct Session ID:  0x00000197
               Handle:  0xA600002B

Runnable methods list:
       Method   State
       mab      Authc Success

Regards

Hammad

Can you paste a show access-list xACSACLx-IP-SSH-PERMIT-ALL-5270ce52 or what ever the current dACL that is applied when you first get authenticated?

Hi Bruce,

My DAcl is like this,

!

permit ip any any

!

So the switch will take the learned IP address and modify the dACL applied with the new IP address learned from the port.  If it doesn't learn an IP, then it can't modify the dACL.  I think if your dACL is truely "permit ip any any" then it should work.  You might try to add "permit icmp any any" to the dACL, if ping is what you are looking for.  Also, is the end device learning it's IP address from DHCP or is it static? 

Hi Bruce,

Its static, actually this is where from the orignal problem initiated. Coz of static IP the MAB was not getting initialized and so I have to use the command,

"authentication control-direction in".

But still not able to ping.

Hi Team,

 

I have manage to put the above mention commands " ip device tracking probe use-svi" and it is working for some devices/ports. But on other occassions it is not working.

It works after I tried to remove it then re-add the MAB commands and shut /unshut port several times and then try to ping simultaneously.

The difference I can see is that when it correctly accept the device , in ACS monitoring I can see the entries for both Authentication and ACL while otherwise only Authentication entry is there. Kindly see the attached pic here.

I want to know what is causing ACS to stop the ACL entry on occasions?

Also in 2nd attachment (it is for successful auth) you can see the below output which should not be there by right? is it something to do with my MAB issue as well?

"24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory"

 

Regards,

hammad 

Hi Team,


Can anyone of the Guru's help? :)


Regards

Hammad

DO you have "IP device tracking" enabled on the switch?

No we dont have this command on switch.

I would add it and try.  The reference below is for webauth but since cwa is really MAB, it still applies.

Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.

For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:

ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.

Dynamic ARP inspection

DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.

Hi Bruce,

I have tried with adding in the command "IP device tracking", but still not getting authentication.

Is there any other alternative for this?

Regards,

Hammad Raza

Hi Team,

I have tried with adding in the command "IP device tracking", but still not getting MAB initiated when port comes up.

Is there any other alternative for this? or any technical docment specifically referring this kind of issues?

Regards,

With "IP device tracking" configured, add the following command to the switch:

ip device tracking probe use-svi

bounce the port  and issue a 'show ip device track interface gi2/0/46'