Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2757
Views
5
Helpful
1
Replies

MAB Failing Even Though Authc is Successful

Go to solution
jupoole
Cisco Employee
Cisco Employee

‎09-25-2017 04:37 PM

ACS/IBNS Teams,

Customer is saying they cannot get mab working on a 3750 but the same host works on a 3560 if moved. Basically, it shows Authc successful but the port state still shows as unauthorized.

I have attached the logs. Any ideas? My next step is to also post to the ISE support community. However, this is ACS as the server today.

JP

Labels:
dot1x notes.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bfruits
Level 1
Level 1

‎09-26-2017 05:35 AM

Hi Justin,

     I'd first suggest that you try taking the comments ( ! ) out of your dACL contents.  Older platforms in particular can have problems with dACL lines that are not true access control entries. 

     The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS.  AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied. 

These commands may also help with troubleshooting:

show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63

show ip access-list g1/0/2

Hope this helps,

-Fruits

View solution in original post

1 Reply 1

Go to solution
bfruits
Level 1
Level 1

‎09-26-2017 05:35 AM

Hi Justin,

     I'd first suggest that you try taking the comments ( ! ) out of your dACL contents.  Older platforms in particular can have problems with dACL lines that are not true access control entries. 

     The logs may stop short but my assumption is that you are getting AuthC success and AuthZ failure on the switch - meaning the switch is not able to apply the authorization instructions sent by ACS.  AuthZ failure should be shown in normal logging levels, but you could also try debugging EPM to determine if the dACL is being applied. 

These commands may also help with troubleshooting:

show ip access-list #ACSACL#-IP-LM-PERMIT-ALL-57217a63

show ip access-list g1/0/2

Hope this helps,

-Fruits

Customers Also Viewed These Support Documents