This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.
I tried using the following solution as well,
it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.
Can someone exactly confirm whats the issue over here and how to resolve?
My config on port is as follows,
switchport mode access
authentication host-mode single-host
authentication port-control auto
authentication violation restrict
authentication control-direction in
No, its not showing any IP , the status looks like as follows,
sh authentication sessions interface gi2/0/46
AC Address: 0050.c2a8.0ffb
IP Address: Unknown
Status: Authz Success
Oper host mode: single-host
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA000390000002A12EFCB63
Acct Session ID: 0x00000197
Runnable methods list:
mab Authc Success
Can you paste a show access-list xACSACLx-IP-SSH-PERMIT-ALL-5270ce52 or what ever the current dACL that is applied when you first get authenticated?
So the switch will take the learned IP address and modify the dACL applied with the new IP address learned from the port. If it doesn't learn an IP, then it can't modify the dACL. I think if your dACL is truely "permit ip any any" then it should work. You might try to add "permit icmp any any" to the dACL, if ping is what you are looking for. Also, is the end device learning it's IP address from DHCP or is it static?
Its static, actually this is where from the orignal problem initiated. Coz of static IP the MAB was not getting initialized and so I have to use the command,
"authentication control-direction in".
But still not able to ping.
I have manage to put the above mention commands " ip device tracking probe use-svi" and it is working for some devices/ports. But on other occassions it is not working.
It works after I tried to remove it then re-add the MAB commands and shut /unshut port several times and then try to ping simultaneously.
The difference I can see is that when it correctly accept the device , in ACS monitoring I can see the entries for both Authentication and ACL while otherwise only Authentication entry is there. Kindly see the attached pic here.
I want to know what is causing ACS to stop the ACL entry on occasions?
Also in 2nd attachment (it is for successful auth) you can see the below output which should not be there by right? is it something to do with my MAB issue as well?
"24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory"
I would add it and try. The reference below is for webauth but since cwa is really MAB, it still applies.
Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
•ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.
•Dynamic ARP inspection
•DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.
I have tried with adding in the command "IP device tracking", but still not getting authentication.
Is there any other alternative for this?
I have tried with adding in the command "IP device tracking", but still not getting MAB initiated when port comes up.
Is there any other alternative for this? or any technical docment specifically referring this kind of issues?
With "IP device tracking" configured, add the following command to the switch:
ip device tracking probe use-svi
bounce the port and issue a 'show ip device track interface gi2/0/46'