09-15-2014 05:30 PM - edited 03-10-2019 10:01 PM
Hello, I have a trouble with MAB.
I have a SW 3560 configuring with MAB for Authentication, and I have a ISE.
I tried with Multi-Domain Authentication, and priority with dot1x mab.
At the finish, I have this configuration on the Port.
interface GigabitEthernet0/2
switchport access vlan 451
switchport mode access
ip access-group ACL-AD in
shutdown
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end
This configuration works, but just for few minutes, I don't know why after this time the DACL is dropped.
As you can see, on this logs, after this events, the DACL is removed...
I attach, the entire configuration.
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:47.660: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:06 - Interface: GigabitEthernet0/2
09/15/19:06 - MAC Address: 0c85.253e.9229
09/15/19:06 - IPv6 Address: Unknown
09/15/19:06 - IPv4 Address: 172.31.3.4
09/15/19:06 - User-Name: 0C-85-25-3E-92-29
09/15/19:06 - Status: Authorized
09/15/19:06 - Domain: DATA
09/15/19:06 - Oper host mode: single-host
09/15/19:06 - Oper control dir: both
09/15/19:06 - Session timeout: N/A
09/15/19:06 - Common Session ID: AC1869FC00000030265556C0
09/15/19:06 - Acct Session ID: 0x00000023
09/15/19:06 - Handle: 0xD1000016
09/15/19:06 - Current Policy: POLICY_Gi0/2
09/15/19:06 -
09/15/19:06 - Local Policies:
09/15/19:06 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:06 - Security Policy: Should Secure
09/15/19:06 - Security Status: Link Unsecure
09/15/19:06 -
09/15/19:06 - Server Policies:
09/15/19:06 - ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-517998c3
09/15/19:06 -
09/15/19:06 - Method status list:
09/15/19:06 - Method State
09/15/19:06 - mab Authc Success
09/15/19:06 -
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:51.913: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xD1000016)
09/15/19:06 - Sep 16 00:07:05.823: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay remove sync of addr for 0c85.253e.9229 / 0xD1000016
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0c85.253e.9229| AuditSessionID AC1869FC00000030265556C0| EVENT IP-RELEASE
09/15/19:07 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:07 - Interface: GigabitEthernet0/2
09/15/19:07 - MAC Address: 0c85.253e.9229
09/15/19:07 - IPv6 Address: Unknown
09/15/19:07 - IPv4 Address: Unknown
09/15/19:07 - User-Name: 0C-85-25-3E-92-29
09/15/19:07 - Status: Authorized
09/15/19:07 - Domain: DATA
09/15/19:07 - Oper host mode: single-host
09/15/19:07 - Oper control dir: both
09/15/19:07 - Session timeout: N/A
09/15/19:07 - Common Session ID: AC1869FC00000030265556C0
09/15/19:07 - Acct Session ID: 0x00000023
09/15/19:07 - Handle: 0xD1000016
09/15/19:07 - Current Policy: POLICY_Gi0/2
09/15/19:07 -
09/15/19:07 - Local Policies:
09/15/19:07 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:07 - Security Policy: Should Secure
09/15/19:07 - Security Status: Link Unsecure
09/15/19:07 -
09/15/19:07 - Server Policies:
09/15/19:07 -
09/15/19:07 - Method status list:
09/15/19:07 - Method State
09/15/19:07 - mab Authc Success
09/15/19:07 -
09/15/19:07 - MS-C3560-1#
09-16-2014 06:01 AM
Refer the link : https://learningnetwork.cisco.com/thread/68792
09-17-2014 06:47 AM
Your link help me to found, other link.
I think, I found the error.
MS-C3560-1(config)#no ip device tracking probe auto-source override
MS-C3560-1(config)#ip device tracking
MS-C3560-1#
Sep 17 13:18:01.016: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xC3000003)
Sep 17 13:18:01.016: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay add/update sync of addr for 0c85.253e.9229 / 0xC3000003
MS-C3560-1#
09-16-2014 11:56 PM
I can't see the command "radius-server vsa send" in your config. I've had trouble with the dACL not downloading correctly when that command is missing.
What does the log in ISE say?
09-17-2014 06:42 AM
The vsa commands, is like turn on by default.
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
MS-C3560-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
MS-C3560-1(config)#radius-server vsa send ?
accounting Send in accounting requests
authentication Send in access requests
cisco-nas-port Send cisco-nas-port VSA(2)
<cr>
MS-C3560-1(config)#radius-server vsa send accounting
MS-C3560-1(config)#radius-server vsa send authentication
MS-C3560-1(config)#
MS-C3560-1(config)#
MS-C3560-1(config)#end
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
For the ISE, I don't have any events for auth fail or something.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide