12-28-2018 06:18 AM
Hi to all,
i am concerned in case of ISE failure so i would like to make sure that IP phones (MAB based) will continue to operate.
So my config is as follows:
interface GigabitEthernet4/23
description VoIP-Tests
switchport access vlan 100
switchport mode access
switchport voice vlan 90
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
logging event link-status
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end
Although the Phone works OK while ISE is present when i remove ISE from the switch config , the phone does not get registered.
Am i missing any additional commands under interface config?
I also had the command "authentication server fail action next-method" under interface config but it did not make any difference so i removed it.
What follow are some debugs:
Dec 28 16:01:48: mab-ev(Gi4/23): Reauthenticating client 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_REAUTHENTICATE' on handle 0x5600004D
Dec 28 16:01:48: mab : during state mab_terminate, got event 2(mabReauthenticate)
Dec 28 16:01:48: @@@ mab : mab_terminate -> mab_authorizing
Dec 28 16:01:48: mab-ev(Gi4/23): Sending create new context event to EAP from MAB for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): Starting MAC-AUTH-BYPASS for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:01:48: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: mab-ev(Gi4/23): Final EAP Fail pkt received by MAB
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:01:48: mab : during state mab_authorizing, got event 5(mabResult)
Dec 28 16:01:48: @@@ mab : mab_authorizing -> mab_terminate
Dec 28 16:01:48: mab-ev(Gi4/23): Deleted credentials profile for 0x5600004D (dot1x_mac_auth_007278263a1f)
Dec 28 16:01:48: mab-ev(Gi4/23): Sending event (2) to AuthMGR for 0072.7826.3a1f
Dec 28 16:01:48: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:01:48: mab : during state mab_terminate, got event 5(mabResult) (ignored)
Dec 28 16:01:48: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:01:48: %AUTHMGR-5-FAIL: Authorization failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:00: AAA/BIND(00019775): Bind i/f
Dec 28 16:02:00: AAA/AUTHEN/LOGIN (00019775): Pick method list 'default'
Dec 28 16:02:06: AAA/AUTHOR (0x19775): Pick method list 'default'
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): processing AV cmd=
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): processing AV priv-lvl=15
Dec 28 16:02:06: AAA/AUTHOR/EXEC(00019775): Authorization successful
Dec 28 16:02:49: mab-ev(Gi4/23): Reauthenticating client 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_REAUTHENTICATE' on handle 0x5600004D
Dec 28 16:02:49: mab : during state mab_terminate, got event 2(mabReauthenticate)
Dec 28 16:02:49: @@@ mab : mab_terminate -> mab_authorizing
Dec 28 16:02:49: mab-ev(Gi4/23): Sending create new context event to EAP from MAB for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): Starting MAC-AUTH-BYPASS for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: mab-ev(Gi4/23): MAB received an Access-Reject for 0x5600004D (0072.7826.3a1f)
Dec 28 16:02:49: %MAB-5-FAIL: Authentication failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: mab-ev(Gi4/23): Final EAP Fail pkt received by MAB
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:02:49: mab : during state mab_authorizing, got event 5(mabResult)
Dec 28 16:02:49: @@@ mab : mab_authorizing -> mab_terminate
Dec 28 16:02:49: mab-ev(Gi4/23): Deleted credentials profile for 0x5600004D (dot1x_mac_auth_007278263a1f)
Dec 28 16:02:49: mab-ev(Gi4/23): Sending event (2) to AuthMGR for 0072.7826.3a1f
Dec 28 16:02:49: mab-sm(Gi4/23): Received event 'MAB_RESULT' on handle 0x5600004D
Dec 28 16:02:49: mab : during state mab_terminate, got event 5(mabResult) (ignored)
Dec 28 16:02:49: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:49: %AUTHMGR-5-FAIL: Authorization failed for client (0072.7826.3a1f) on Interface Gi4/23 AuditSessionID 00000000000003845C018D25
Dec 28 16:02:50: RADIUS/ENCODE(000193FB):Orig. component type = DOT1X
Dec 28 16:02:50: RADIUS(000193FB): Config NAS IP: 0.0.0.0
Dec 28 16:02:50: RADIUS(000193FB): sending
Dec 28 16:02:50: RADIUS/DECODE: parse response no app start; FAIL
Dec 28 16:02:50: RADIUS/DECODE: parse response; FAIL
Thank you,
Ditter.
Solved! Go to Solution.
01-02-2019 09:39 AM
Please review our ISE Secure Wired Access Prescriptive Deployment Guide for many of your questions.
Do not use Port Security with 802.1X - these are 2 completely different processes for controlling the port. This is mentioned under Switch Configuration for Closed Mode > MAC Limits.
Critical Voice VLAN is mentioned in Switch Configuration for Closed Mode > Critical Authentication.
01-04-2019 09:03 AM
Hello Ditter,
dot1x pae authenticator -- this commend enables dot1x on the port and by default port tries dot1x first before it falls back to MAB.. Again its a general recommendations..
WRT to simulating server failure, no radius-server host may not be the right way to do it. Can you simulate this on the layer above( may be disconnecting the uplink or disabling routing between your access switch and distribution).. This is how i had verified and it worked.
Regards
Mahesh N
01-09-2019 02:48 AM
Hi Mnagired,
finally i have some good results and i would like to share it with all.
The steps i followed are :
1. Firstly i manipulated the routing (static entries to null0) in order to simulate radius-dead (instead of just negating the radius command in the switch itself). Result : Nothing Changed
2.I negated all port security commands in order to be consistent with Cisco Recommendations and the guide you shared. Result : Nothing Changed
Finally what made the difference was to remove the command : authentication event server dead action authorize
When i removed the above mentioned command the phone came up online.
sh authentication sessions interface gigabitEthernet 4/23
Interface: GigabitEthernet4/23
MAC Address: 0072.7826.3a1f
IP Address: 10.10.224.27
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 00000000000003D29917AC99
Acct Session ID: 0x00019C40
Handle: 0xE00003D3
Runnable methods list:
Method State
mab Authc Failed
Critical Authorization is in effect for domain(s) VOICE <------- Here shows that the phone is registered in the voice domain although the command shows the following:
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi4/23 0072.7826.3a1f mab DATA Authz Failed 00000000000003D29917AC99 <------ Here it shows that
the Phone MAC address is in the DATA domain but it is seems that it is a bogus output as the command sh authentication sessions interface gigabitEthernet 4/23 shows that the phone is critical authorized in the VOICE domain:
Critical Authorization is in effect for domain(s) VOICE
Any ideas about this inconsistency between these two show commands?
The working interface commands are the following:
interface GigabitEthernet4/23
description VoIP-Tests
switchport access vlan 100
switchport mode access
switchport voice vlan 90
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
logging event link-status
authentication control-direction in
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end
Thanks,
Ditter.
12-28-2018 06:48 AM - edited 12-28-2018 06:49 AM
Hi,
I've no idea what the outcome would be by removing the dot1x configuration on an interface in order to simulate ISE failure, it's probably not a actual valid test.
A better way to simulate ISE failure which I've used for NRFU testing previously, was to ensure that the switch reports that RADIUS servers are dead by adding a static null route to the RADIUS servers, meaning the switch won't route traffic to the ISE server. Wait for the output of "show aaa server" to report the RADIUS servers are dead and then plugin the phone. The phone should be authorized due to the command "authentication event server dead action authorize voice" you have configured.
HTH
12-28-2018 06:50 AM
01-01-2019 09:11 AM
Thanks RJI,
can you please elaborate why in your opinion , what is a reason why port-security would interfear with MAB?
In addition , if i remove port-security from the phone interface how can i limit the amount of MAC addresses to (for example) 5 or 10?
01-01-2019 10:15 AM
Hi Ditter,
It's not my opinion, but rather a Cisco recommendation not to use 802.1x and Port Security. More information here:- Deployment guide and forum post.
Do you really envisage having more than 2 devices (1 data (pc/laptop) and 1 voice) per interface? multi-domain would cover that scenario.
01-01-2019 11:58 AM
Thanks RJI,
yes i need multi-auth instead of multi-domain as there are cases where the users install a small switch (or running hypervisors) in their PCs , so i need multi-auth to be present to switch ports.
Ditter.
12-28-2018 09:26 AM
Hi Ditter,
1.You have all the required configs for Critical authentication to work, i would recommend to add the below CLI as part of best practice configuration..
authentication control-direction in
authentication event server alive action reinitialize
2. Yes, can you confirm the way you failing reachability to ISE?? Your debug do show "Authentication result 'server dead'" which is a good sign but i would like to understand the way its done..
3. Yes, its not recommended to use port- security with dot1x as its not compatible ..
01-01-2019 09:30 AM
Hi Mnagired,
1. Yes i added the two commands you mentioned but nothing changed.
2. The way i "simulated" the lack of connection to ISE was simply to do a
"no radius-server host <ip address> auth-port 1812 acct-port 1813 key abcdef
What worries me is that when i do "sh authentication sessions interface gigabitEthernet 4/23"
it mentions that the domain is DATA but is should be voice....
Interface: GigabitEthernet4/23
MAC Address: 0072.7826.3a1f
IP Address: 10.10.224.27
Status: Authz Failed
Domain: DATA <------ Shouldn't this be voice ?
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 00000000000003845C018D25
Acct Session ID: 0x00019772
Handle: 0xB2000385
Runnable methods list:
Method State
mab Authc Failed
Critical Authorization is in effect for domain(s) VOICE
Finally when i re-enable the Radius server on the switch , immediatelly the phone comes on-line
sh authentication sessions interface gigabitEthernet 4/23
Interface: GigabitEthernet4/23
MAC Address: 0072.7826.3a1f
IP Address: 10.10.224.27
User-Name: 00-72-78-26-3A-1F
Status: Authz Success
Domain: VOICE <--- And in the correct domain
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 000000000000038A71740833
Acct Session ID: 0x0001990C
Handle: 0x8C00038B
Runnable methods list:
Method State
mab Authc Success
Any ideas what could be wrong?
Thanks,
Ditter.
01-02-2019 09:39 AM
Please review our ISE Secure Wired Access Prescriptive Deployment Guide for many of your questions.
Do not use Port Security with 802.1X - these are 2 completely different processes for controlling the port. This is mentioned under Switch Configuration for Closed Mode > MAC Limits.
Critical Voice VLAN is mentioned in Switch Configuration for Closed Mode > Critical Authentication.
01-04-2019 05:23 AM
Hi to all,
having looked in the document "ISE-secure-wired-access-prescriptive-deployment-guide" i did not find why MAB is not compatible with port security. If you recall in the config i sent you in relation to voice vlan problem after radius server was dead , i do not utilize 802.1x for the phones but MAB (not all my cisco phones support 802.1.x supplicants).
All of you, mentioned that 802.1x is not compatible with port-security and this is also mentioned in the above mentioned document but is also MAB incompatible with port-security? MAB is not 802.1x so i suppose that it can coexist in an interface config with port-security being present. Correct?
Thanks,
Ditter.
01-04-2019 09:03 AM
Hello Ditter,
dot1x pae authenticator -- this commend enables dot1x on the port and by default port tries dot1x first before it falls back to MAB.. Again its a general recommendations..
WRT to simulating server failure, no radius-server host may not be the right way to do it. Can you simulate this on the layer above( may be disconnecting the uplink or disabling routing between your access switch and distribution).. This is how i had verified and it worked.
Regards
Mahesh N
01-09-2019 02:48 AM
Hi Mnagired,
finally i have some good results and i would like to share it with all.
The steps i followed are :
1. Firstly i manipulated the routing (static entries to null0) in order to simulate radius-dead (instead of just negating the radius command in the switch itself). Result : Nothing Changed
2.I negated all port security commands in order to be consistent with Cisco Recommendations and the guide you shared. Result : Nothing Changed
Finally what made the difference was to remove the command : authentication event server dead action authorize
When i removed the above mentioned command the phone came up online.
sh authentication sessions interface gigabitEthernet 4/23
Interface: GigabitEthernet4/23
MAC Address: 0072.7826.3a1f
IP Address: 10.10.224.27
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 00000000000003D29917AC99
Acct Session ID: 0x00019C40
Handle: 0xE00003D3
Runnable methods list:
Method State
mab Authc Failed
Critical Authorization is in effect for domain(s) VOICE <------- Here shows that the phone is registered in the voice domain although the command shows the following:
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi4/23 0072.7826.3a1f mab DATA Authz Failed 00000000000003D29917AC99 <------ Here it shows that
the Phone MAC address is in the DATA domain but it is seems that it is a bogus output as the command sh authentication sessions interface gigabitEthernet 4/23 shows that the phone is critical authorized in the VOICE domain:
Critical Authorization is in effect for domain(s) VOICE
Any ideas about this inconsistency between these two show commands?
The working interface commands are the following:
interface GigabitEthernet4/23
description VoIP-Tests
switchport access vlan 100
switchport mode access
switchport voice vlan 90
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
logging event link-status
authentication control-direction in
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end
Thanks,
Ditter.
03-22-2019 02:17 PM
No one has commented on the output behavior, showing the wrong domain (eg: DATA Domain for phones)
Is seems even the complete opposite is bugged:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh58593
When there is not even a phone/voice domain client...
@Ditter wrote:Hi Mnagired,
the Phone MAC address is in the DATA domain but it is seems that it is a bogus output
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide