Solved: Re: MAB commands on the 9200 switch interface??

JustTakeTheFirstStep · ‎10-14-2024

SW1#sh run | s aaa
aaa new-model
aaa group server radius ise
server name ise_10.10.10.10
ip radius source-interface Vlan974
aaa authentication dot1x default group ise
aaa authorization network default group ise local
aaa accounting dot1x default start-stop group ise
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 002C1E01175A59565D750D
aaa session-id common

SW1(config)#int g1/0/1
SW1(config-if)#authen?
% Unrecognized command

SW1(config-if)#mab?
% Unrecognized command

SW1#show inven

NAME: "Switch 1", DESCR: "C9200L-48P-4X"
PID: C9200L-48P-4X , VID: V02

JustTakeTheFirstStep · ‎10-22-2024

@Aref Alsouqi @Rob Ingram @MHM Cisco World M02@rt37

Entering the "switchport mode access" command on an interface activates the MAB command.

Thank you for your interest in my writing.

SW1#sh run int g1/0/1
interface GigabitEthernet1/0/1
switchport mode access
end

SW1(config)#int g1/0/1
SW1(config-if)#mab?
mab

SW1#sh run int g1/0/1
interface GigabitEthernet1/0/1
end

SW1(config)#int g1/0/1
SW1(config-if)#mab?
% Unrecognized command

View solution in original post

M02@rt37 · ‎10-14-2024

Hello @JustTakeTheFirstStep

Make sure those ports are actually set as Access Ports before configuring the dot1x.

Aslo, ensure that dot1 is enable in global:

dot1x system-auth-control

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JustTakeTheFirstStep · ‎10-15-2024

SW1#sh run | i dot1x
dot1x system-auth-control

SW1(config)#int g1/0/1
SW1(config-if)#authen?
% Unrecognized command

SW1(config-if)#mab?
% Unrecognized command

MHM Cisco World · ‎10-14-2024

dot1x pae authenticator

Add this then check command

MHM

JustTakeTheFirstStep · ‎10-15-2024

SW1#dot1x ?
test Test 802.1x capabilities

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.

SW1(config)#dot1x ?
auth-fail
credentials
critical
guest-vlan
logging
supplicant
system-auth-control
test

Aref Alsouqi · ‎10-14-2024

As M02@rt37 mentioned, the port you are trying to configure dot1x on it might not be configured as an access port. You can factory reset it with the command "default int g1/0/1". Also please take a look at this link for more details:

Switch Configuration for ISE dot1x — Networking fun (network-node.com)

JustTakeTheFirstStep · ‎10-15-2024

HMSGA_POE_SW1(config)#default int g1/0/1
Interface GigabitEthernet1/0/1 set to default configuration

HMSGA_POE_SW1(config)#int g1/0/1
HMSGA_POE_SW1(config-if)#auth?
% Unrecognized command

HMSGA_POE_SW1(config-if)#mab?
% Unrecognized command

Rob Ingram · ‎10-15-2024

@JustTakeTheFirstStep if you cannot configure "authentication" commands under the interface, you could be running IBNS 2.0 and therefore the commands would now be "access-session", run the command "authentication display config-mode" to determine if the current configuration mode is "new-style".

Refer to the guides for more IBNS 2.0 information

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-cntrl-pol.html

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html

JustTakeTheFirstStep · ‎10-15-2024

SW1#authentication display config-mode
Current configuration mode is legacy

SW1#authentication display new-style

SW1#wr
Building configuration...
[OK]
SW1#reload
Proceed with reload? [confirm]

SW1#authentication display config-mode
Current configuration mode is new-style

HMSGA_POE_SW1(config)#int g1/0/1
SW1(config-if)#authen?
% Unrecognized command
SW1(config-if)#mab?
% Unrecognized command

Aref Alsouqi · ‎10-15-2024

Could you please share the output of the command "sh int status | i 1/0/1_" for review?

JustTakeTheFirstStep · ‎10-22-2024