cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1694
Views
10
Helpful
1
Replies
JG1978
Beginner

MAB critical Vlan not working with Multi-Auth

We use MAB for our port security with our switches pointed to ISE for the MAC database check.

 

What is happening is that when we have:

"authentication host-mode multi-auth" on the switchport and we unplug the uplink to simulate an ISE outage or WAN link failure, the critical Auth policy never kicks in. If we unplug the ports the devices just keep trying to authenticate every 60 seconds even though the radius server is marked as dead.

 

If I change authentication host-mode from Multi-Auth to Multi-domain it works with the devices failing open by being put into the critical vlan and authorizing the port. We need to use Multi-Auth for our staff that has multiple devices as multi-domain only lets 1 voice and 1 data mac on.


*Mar 1 16:36:44.389: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface Fa0/2 AuditSessionID 0A646464000000B9038A1083
*Mar 1 16:37:44.267: %MAB-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B7038A0A8D
*Mar 1 16:37:44.267: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (xxxx.xxxx.xxxx) on Interface Fa0/1 AuditSessionID 0A646464000000B8038A0A95

 

Port configuration:

 

interface FastEthernet0/1
switchport mode access
switchport voice vlan 20
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation protect
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast

 

Does anyone know why multi-auth is not working with the critical auth vlan and only multi-domain will?

1 ACCEPTED SOLUTION

Accepted Solutions
Octavian Szolga
Enthusiast

Hi,

 

It's because multi-auth doesn't use the option authorize but reinitialize for dead server action.

 

This is critical auth for multi-domain:

 

switchport mode access

switchport access vlan <X>

authentication host-mode multi-domain

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event server alive action reinitialize

 

No need to specify the VLAN. It is the access port VLAN.

 

This is critical auth for multi-auth:

 

switchport access vlan <X>

switchport mode access

authentication host-mode multi-auth

authentication event server dead action reinitialize vlan <X>

authentication event server dead action authorize voice

authentication event server alive action reinitialize

 

BR,
Octavian

View solution in original post

1 REPLY 1
Octavian Szolga
Enthusiast

Hi,

 

It's because multi-auth doesn't use the option authorize but reinitialize for dead server action.

 

This is critical auth for multi-domain:

 

switchport mode access

switchport access vlan <X>

authentication host-mode multi-domain

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event server alive action reinitialize

 

No need to specify the VLAN. It is the access port VLAN.

 

This is critical auth for multi-auth:

 

switchport access vlan <X>

switchport mode access

authentication host-mode multi-auth

authentication event server dead action reinitialize vlan <X>

authentication event server dead action authorize voice

authentication event server alive action reinitialize

 

BR,
Octavian

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube