Hi Security Experts,
We are facing an issue where a video conference unit (tandberg) failed to authenticate for several days. On further checking, we found that the MAB method was not tried at all. Unit was failing with dot1x. We have authentication order/priority as dot1x, mab. On clearing authentication session, when dot1x failed, I could see mab starting and unit could authenticate fine. Please see below:
Problem
++++++
sw#sh authentication sessions interface fa0/21
Interface: FastEthernet0/21
MAC Address: 0050.6002.5f0c
IP Address: Unknown
User-Name:
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AF0C5040000FE2E098EC881
Acct Session ID: 0x00010F61
Handle: 0x85000EFC
Runnable methods list:
Method State
dot1x Authc Failed
mab Not run
After clearing auth session,
After clearing the session, now it is properly failing over to MAB.
+++++++++++++++++++
sw#sh authentication sessions interface fa0/21
Interface: FastEthernet0/21
MAC Address: 0050.6002.5f0c
IP Address: Unknown
User-Name: 00-50-60-02-5F-0C
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: 43200s (local), Remaining: 43185s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0AF0C5040000FE410991A09C
Acct Session ID: 0x00010F7A
Handle: 0x3B000F0F
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
We are running c3560-ipservicesk9-mz.122-55.SE4 on WS-C3560-48PS switch.