Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
0
Helpful
2
Replies

MAB ISR G2 problem

mmktech
Level 1
Level 1

‎12-13-2017 03:37 PM - edited ‎02-21-2020 10:41 AM

Hi everybody!

 

We have Cisco 1941 (ISR G2) running IOS 15.6(3)M3 with following configuration (truncated) to enable MAC Authentication Bypass (MAB):

 

!

aaa new-model

!

!

aaa group server radius RADIUSGRP

 server name RADIUSSRV

 ip radius source-interface GigabitEthernet0/0

!

aaa authentication dot1x default group RADIUSGRP

!

aaa session-id common

!

!

interface GigabitEthernet0/0

 ip address 192.168.10.1 255.255.255.0

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 ip address 192.168.20.1 255.255.255.0

 duplex auto

 speed auto

 authentication port-control auto

 mab

!

radius server RADIUSSRV

 address ipv4 192.168.10.2 auth-port 1645 acct-port 1646

 key cisco

!

 

Also we have configured Free Radius Server and everything works fine:

 

*Nov 27 08:05:16.179: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

*Nov 27 08:05:16.487: %AUTHMGR-5-START: Starting 'mab' for client (c0a0.bb58.bdf3) on Interface Gi0/1 AuditSessionID C0A80A0100000001007BE98C

*Nov 27 08:05:16.583: %MAB-5-SUCCESS: Authentication successful for client (c0a0.bb58.bdf3) on Interface Gi0/1 AuditSessionID C0A80A0100000001007BE98C

*Nov 27 08:05:16.583: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (c0a0.bb58.bdf3) on Interface Gi0/1 AuditSessionID C0A80A0100000001007BE98C

*Nov 27 08:05:16.583: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (c0a0.bb58.bdf3) on Interface Gi0/1 AuditSessionID C0A80A0100000001007BE98C

*Nov 27 08:05:17.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

 

While enabling mab under debug conditions we have a lot of  messages (truncated):

 

C1941(config-if)#mab

*Nov 22 10:10:56.386: mab-ev:Created MAB SWSB on interface GigabitEthernet0/1

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Auth method "mab" available

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Added method mab to available list

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Added method mab to runnable list

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Queued START

*Nov 22 10:10:56.386: mab-ev(Gi0/1): Informed AuthMGR about MAB config change

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Received internal event START

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Assigned AAA ID 0x00000014

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Retrieved Accounting Session ID 0x00000000

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Allocated new Auth Manager context (handle 0xEC000004)

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Client 0000.0000.0000, Initialising Method mab state to 'Not run'

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Adding method mab to runnable list for Auth Mgr context 0x

*Nov 22 10:10:56.386: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=000000000000000300F549A8

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Sending START to mab (handle 0xEC000004)

*Nov 22 10:10:56.386: mab-ev(Gi0/1): Received MAB context create from AuthMgr

*Nov 22 10:10:56.386: mab-ev(Gi0/1): Created MAB client context 0x00000004

*Nov 22 10:10:56.386:     mab : initial state mab_initialize has enter

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Received handle 0x00000004 from method

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'

*Nov 22 10:10:56.386: AUTH-EVENT (Gi0/1) Client 0000.0000.0000, Method mab changing state from 'Not run' to 'Running'

 

But! When we run IOS 15.2(4)M5 on Cisco 1941 with the same config and all other conditions there is just nothing:

 

C1941#show authentication sessions

No Auth Manager contexts currently exist

 

The same behavior we see on Cisco 3945 running IOS 15.6(3)M3.

 

In this case while enabling mab under debug conditions we have just a few messages:

 

C3945(config-if)#mab

*Nov 24 07:18:37.147: mab-ev:Created MAB SWSB on interface GigabitEthernet0/1

*Nov 24 07:18:37.147: AUTH-EVENT (Gi0/1) Auth method "mab" available

*Nov 24 07:18:37.147: AUTH-EVENT (Gi0/1) Added method mab to available list

*Nov 24 07:18:37.147: AUTH-EVENT (Gi0/1) Added method mab to runnable list

*Nov 24 07:18:37.147: mab-ev(Gi0/1): Informed AuthMGR about MAB config change

 

If we try to disable mab:

 

C3945(config-if)#default mab

*Nov 24 07:18:23.579: AUTH-EVENT (Gi0/1) Auth method "mab" unavailable

*Nov 24 07:18:23.579: AUTH-EVENT (Gi0/1) Removed method mab from available list

*Nov 24 07:18:23.579: AUTH-EVENT (Gi0/1) Removed method mab from runnable list

*Nov 24 07:18:23.579: AUTH-EVENT (Gi0/1) Ignoring delete *ALL* - ctx list empty

*Nov 24 07:18:23.579: mab-ev(Gi0/1): Informed AuthMGR about MAB config change

 

So, it seems there is some problem with Auth Manager?

Or maybe we miss something?

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎12-16-2017 07:48 PM

I don't think so. I guess that Cisco changed something in the code to view more information in the debug output. I don't see errors in the AuthManager in your output. Its just more information about whats happening in the background.
0 Helpful

mmktech
Level 1
Level 1
In response to Mohammed al Baqari

‎12-18-2017 12:19 AM

I say it seems there is some problem with Auth Manager because Auth Manager context is not created (messages: "No Auth Manager contexts currently exist"and "AUTH-EVENT (Gi0/1) Ignoring delete *ALL* - ctx list empty") while in first example ("AUTH-EVENT (Gi0/1) Allocated new Auth Manager context"). And still MAB doesn't work.

I don't deny there is another cause of our problem.

May be we forgot to set some mandatory configurations?

0 Helpful
Customers Also Viewed These Support Documents