Your link help me to found,

Oswaldo Torres · ‎09-15-2014

Hello, I have a trouble with MAB.

I have a SW 3560 configuring with MAB for Authentication, and I have a ISE.

I tried with Multi-Domain Authentication, and priority with dot1x mab.

At the finish, I have this configuration on the Port.

interface GigabitEthernet0/2
switchport access vlan 451
switchport mode access
ip access-group ACL-AD in
shutdown
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end

This configuration works, but just for few minutes, I don't know why after this time the DACL is dropped.

As you can see, on this logs, after this events, the DACL is removed...

I attach, the entire configuration.

09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:47.660: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:06 -             Interface: GigabitEthernet0/2
09/15/19:06 -           MAC Address: 0c85.253e.9229
09/15/19:06 -          IPv6 Address: Unknown
09/15/19:06 -          IPv4 Address: 172.31.3.4
09/15/19:06 -             User-Name: 0C-85-25-3E-92-29
09/15/19:06 -                Status: Authorized
09/15/19:06 -                Domain: DATA
09/15/19:06 -        Oper host mode: single-host
09/15/19:06 -      Oper control dir: both
09/15/19:06 -       Session timeout: N/A
09/15/19:06 -     Common Session ID: AC1869FC00000030265556C0
09/15/19:06 -       Acct Session ID: 0x00000023
09/15/19:06 -                Handle: 0xD1000016
09/15/19:06 -        Current Policy: POLICY_Gi0/2
09/15/19:06 -
09/15/19:06 - Local Policies:
09/15/19:06 -         Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:06 -       Security Policy: Should Secure
09/15/19:06 -       Security Status: Link Unsecure
09/15/19:06 -
09/15/19:06 - Server Policies:
09/15/19:06 -               ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-517998c3
09/15/19:06 -
09/15/19:06 - Method status list:
09/15/19:06 -        Method           State
09/15/19:06 -        mab              Authc Success
09/15/19:06 -
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:51.913: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xD1000016)
09/15/19:06 - Sep 16 00:07:05.823: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay remove sync of addr for 0c85.253e.9229 / 0xD1000016
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0c85.253e.9229| AuditSessionID AC1869FC00000030265556C0| EVENT IP-RELEASE
09/15/19:07 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:07 -             Interface: GigabitEthernet0/2
09/15/19:07 -           MAC Address: 0c85.253e.9229
09/15/19:07 -          IPv6 Address: Unknown
09/15/19:07 -          IPv4 Address: Unknown
09/15/19:07 -             User-Name: 0C-85-25-3E-92-29
09/15/19:07 -                Status: Authorized
09/15/19:07 -                Domain: DATA
09/15/19:07 -        Oper host mode: single-host
09/15/19:07 -      Oper control dir: both
09/15/19:07 -       Session timeout: N/A
09/15/19:07 -     Common Session ID: AC1869FC00000030265556C0
09/15/19:07 -       Acct Session ID: 0x00000023
09/15/19:07 -                Handle: 0xD1000016
09/15/19:07 -        Current Policy: POLICY_Gi0/2
09/15/19:07 -
09/15/19:07 - Local Policies:
09/15/19:07 -         Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:07 -       Security Policy: Should Secure
09/15/19:07 -       Security Status: Link Unsecure
09/15/19:07 -
09/15/19:07 - Server Policies:
09/15/19:07 -
09/15/19:07 - Method status list:
09/15/19:07 -        Method           State
09/15/19:07 -        mab              Authc Success
09/15/19:07 -
09/15/19:07 - MS-C3560-1#

mohanak · ‎09-16-2014

Refer the link : https://learningnetwork.cisco.com/thread/68792

Oswaldo Torres · ‎09-17-2014

Your link help me to found, other link.

I think, I found the error.

MS-C3560-1(config)#no ip device tracking probe auto-source override
MS-C3560-1(config)#ip device tracking

MS-C3560-1#
Sep 17 13:18:01.016: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xC3000003)
Sep 17 13:18:01.016: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay add/update sync of addr for 0c85.253e.9229 / 0xC3000003
MS-C3560-1#

Jimmy Johansson · ‎09-16-2014

I can't see the command "radius-server vsa send" in your config. I've had trouble with the dACL not downloading correctly when that command is missing.

What does the log in ISE say?

Oswaldo Torres · ‎09-17-2014

The vsa commands, is like turn on by default.

MS-C3560-1#sh run | inc vsa
MS-C3560-1#
MS-C3560-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
MS-C3560-1(config)#radius-server vsa send ?
accounting Send in accounting requests
authentication Send in access requests
cisco-nas-port Send cisco-nas-port VSA(2)
<cr>

MS-C3560-1(config)#radius-server vsa send accounting
MS-C3560-1(config)#radius-server vsa send authentication
MS-C3560-1(config)#
MS-C3560-1(config)#
MS-C3560-1(config)#end
MS-C3560-1#sh run | inc vsa
MS-C3560-1#

For the ISE, I don't have any events for auth fail or something.

MAB / IP Phone / ISE - Woks Fine for few minutes -