Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


MAB authentification feils after reboot

Somebody help!!! J

Everything working just fine but after switch restarts authentication fails.

(cat4500e-ENTSERVICESK9-M), Version 12.2(53)SG2

ACS 4.2

in ACS  can see   Authen session timed out: Challenge not provided by client

Switch says : Sep 30 19:06:30 MET-DST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0001.3e01.858a) on Interface Gi9/26

interface GigabitEthernet1/1

switchport mode access

switchport port-security maximum 3

authentication event fail action authorize vlan 500

authentication event server dead action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication order mab

authentication priority mab

authentication port-control auto

mab eap

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-req 1

storm-control broadcast level 3.00

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard loop



Re: MAB authentification feils after reboot

It has to do with Spanning tree protocol on the switch where right after
switch reboot, STP is still in process and the switch sends out the
Radius-Request but it doesn't reach the Radius Server until STP is run
and the correct interfaces start forwarding.

You need to adjust the Radius Timers on the switch.
Please enter the following commands on the switch: radius-server retransmit 6
radius-server timeout 10

This means that the switch will retransmit the radius request every 10 seconds for 6 times before marking the Server as Dead and failing the MAB authentication. These 60 seconds are enough for STP to converge.

Re: MAB authentification feils after reboot

I have TAC case in this issue, and they sad the same. i tested this without help (it's helped a lit, but not all interfases got right Vlan.)

and we are using rapid spanning tree so it should be enought 60s but.....

Cisco Employee

Re: MAB authentification feils after reboot

Hi, this problem with MAB is due to the fact that the Radius Server is unreachable for a bit of time right after the switch reboot.

While the switch finishes the reboot, there is STP in process so the Radius Server will be unreachable until STPis finished.

Have a look at CSCtj46641 which has been closed as non-software-defect on switches.

Since MAB is immediate after switchport going up and at the same time radius server is still not available, there is a need to workaround the problem.

Some options to workaround:

1- radius timers increase to accomodate needed time for stp to finish

2- dot1x reauthentication timer

This has been the outcome of the TAC case between me and Andrius.

Hope this helps others facing this issue in the future.