cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
274
Views
2
Helpful
14
Replies

MAB not working correctly

alliasneo1
Level 1
Level 1

Hi, I've got a bit of a strange one. This was all working fine but I've come in today and the Mitel phones are not authenticating correctly. Some seem to be going through the live logs fine but others have the blue circle for 'session' and then never authenticate with the green tick. The only difference I can see from the Live Logs from that ones that are authenticating ok vs the ones that aren't is that under 'Network Devices' column and 'Identity Group' they are blank.

 

2 Accepted Solutions

Accepted Solutions

Ok. You might try to check if there is any suppression of the successful authentications configured in ISE, maybe this was configured recently? If so, disabling that feature should show you a log for each session rather than increasing their counters and consolidating them. However, as mentioned before the little circle logs are most likely showing up in your case because they are reauthentication sessions of the previous ones. More specifically when ISE receives a start accounting message for an authenticated session it shows the little circle log for it. To check the suppressions please go to "Administration > System > Settings > Protocols > RADIUS > Suppression & Reports". From there check if there is any tick box next to "Suppress repeated successful authentications". If there is one, please try to remove it and see if that makes any difference.

View solution in original post

Did it help? are you now getting the logs as you would expect them to be?

View solution in original post

14 Replies 14

There are many things make MAB failed' 

Since you see device network in log live I will start from SW

In SW do

Show aaa server  <<- share it here 

MHM

sh aaa servers show both of my servers as being up

can I see output please 

MHM

#sh aaa servers

 

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1812, acct-port 1813, hostname xxxxxxxxxx

     State: current UP, duration 4294967s, previous duration 600s

     Dead: total time 600s, count 1

     Platform State from SMD: current UP, duration 4294967s, previous duration 600s

     SMD Platform Dead: total time 2400s, count 4

     Platform State from WNCD (1) : current UP

     Platform State from WNCD (2) : current UP

     Platform State from WNCD (3) : current UP

     Platform State from WNCD (4) : current UP

     Platform State from WNCD (5) : current UP

     Platform State from WNCD (6) : current UP

     Platform State from WNCD (7) : current UP

     Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

     Platform Dead: total time 0s, count 0UP

     Quarantined: No

     Authen: request 32288, timeouts 37, failover 4, retransmission 27

             Response: accept 327, reject 30824, challenge 1100

             Response: unexpected 0, server error 0, incorrect 0, time 114ms

             Transaction: success 32251, failure 10

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

             Dot1x transactions:

             Response: total responses: 1241, avg response time: 13ms

             Transaction: timeouts 0, failover 0

             Transaction: total 141, success 141, failure 0

             MAC auth transactions:

             Response: total responses: 31010, avg response time: 118ms

             Transaction: timeouts 10, failover 4

             Transaction: total 31020, success 186, failure 30834

     Author: request 52, timeouts 0, failover 0, retransmission 0

             Response: accept 52, reject 0, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 2ms

             Transaction: success 52, failure 0

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

             MAC author transactions:

             Response: total responses: 0, avg response time: 0ms

             Transaction: timeouts 0, failover 0

             Transaction: total 0, success 0, failure 0

     Account: request 664, timeouts 5, failover 0, retransmission 4

             Request: start 124, interim 0, stop 121

             Response: start 124, interim 0, stop 121

             Response: unexpected 0, server error 0, incorrect 0, time 8ms

             Transaction: success 659, failure 1

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

     Elapsed time since counters last cleared: 11w2d23h26m

     Estimated Outstanding Access Transactions: 0

     Estimated Outstanding Accounting Transactions: 0

     Estimated Throttled Access Transactions: 0

     Estimated Throttled Accounting Transactions: 0

     Maximum Throttled Transactions: access 0, accounting 0

     Consecutive Response Failures: total 6

             SMD Platform : max 3, current 0 total 6

             WNCD Platform: max 0, current 0 total 0

             IOSD Platform : max 0, current 0 total 0

     Consecutive Timeouts: total 29

             SMD Platform : max 11, current 0 total 27

             WNCD Platform: max 0, current 0 total 0

             IOSD Platform : max 2, current 2 total 2

     Requests per minute past 24 hours:

             high - 23 hours, 25 minutes ago: 0

             low  - 23 hours, 25 minutes ago: 0

             average: 0

 

RADIUS: id 2, priority 2, host xx.xx.xx.xx, auth-port 1812, acct-port 1813, hostname xxxxxxxxxxxx

     State: current UP, duration 4294967s, previous duration 0s

     Dead: total time 0s, count 0

     Platform State from SMD: current UP, duration 3328269s, previous duration 600s

     SMD Platform Dead: total time 620s, count 2

     Platform State from WNCD (1) : current UP

     Platform State from WNCD (2) : current UP

     Platform State from WNCD (3) : current UP

     Platform State from WNCD (4) : current UP

     Platform State from WNCD (5) : current UP

     Platform State from WNCD (6) : current UP

     Platform State from WNCD (7) : current UP

     Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

     Platform Dead: total time 0s, count 0UP

     Quarantined: No

     Authen: request 58, timeouts 16, failover 10, retransmission 10

             Response: accept 0, reject 42, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 131ms

             Transaction: success 42, failure 6

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

             Dot1x transactions:

             Response: total responses: 0, avg response time: 0ms

             Transaction: timeouts 0, failover 0

             Transaction: total 0, success 0, failure 0

             MAC auth transactions:

             Response: total responses: 42, avg response time: 131ms

             Transaction: timeouts 6, failover 10

             Transaction: total 48, success 0, failure 48

     Author: request 0, timeouts 0, failover 0, retransmission 0

             Response: accept 0, reject 0, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 0ms

             Transaction: success 0, failure 0

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

             MAC author transactions:

             Response: total responses: 0, avg response time: 0ms

             Transaction: timeouts 0, failover 0

             Transaction: total 0, success 0, failure 0

     Account: request 1, timeouts 0, failover 1, retransmission 0

             Request: start 0, interim 0, stop 0

             Response: start 0, interim 0, stop 0

             Response: unexpected 0, server error 0, incorrect 0, time 96ms

             Transaction: success 1, failure 0

             Throttled: transaction 0, timeout 0, failure 0

             Malformed responses: 0

             Bad authenticators: 0

     Elapsed time since counters last cleared: 11w2d23h26m

     Estimated Outstanding Access Transactions: 0

     Estimated Outstanding Accounting Transactions: 0

     Estimated Throttled Access Transactions: 0

     Estimated Throttled Accounting Transactions: 0

     Maximum Throttled Transactions: access 0, accounting 0

     Consecutive Response Failures: total 4

             SMD Platform : max 3, current 0 total 4

             WNCD Platform: max 0, current 0 total 0

             IOSD Platform : max 0, current 0 total 0

     Consecutive Timeouts: total 14

             SMD Platform : max 11, current 0 total 14

             WNCD Platform: max 0, current 0 total 0

             IOSD Platform : max 0, current 0 total 0

     Requests per minute past 24 hours:

             high - 23 hours, 25 minutes ago: 0

             low  - 23 hou

I will send you PM 

thanks 

MHM

The little circle suggests a reauthentication session, so those ones are good logs. However, the ones with the green tick suggest a new authentication session. If you open one of the ones with the little circle you should still see some details about the session.

If you want to try to trigger a new authentication for one of those phones that seem to have issues, then I should suggest to shutdown a switch port where a phone is connected, go to ISE and remove that device MAC address, and then finally unshut the switch port. This way the phone will be treated as a new device from ISE perspective.

This still doesn't help understanding why you are experiencing this behaviour with some phones. However, some devices might have a flaw in their firmware, so I highly recommend looking into the latest firmware and if available to trying to upgrade them. In the meantime and before you change anything, could you please share the output of the command "sh authentication sessions interface < the interface where a phone is connected > details" of an interface where you have one of those unstable phones connected for review?

I've tried the re-authentication but that hasn't had an impact. When I run #sh authentication session for the interface it shows that the phone has authenticated succesfully under MAB:

 

----------------------------------------

Interface: GigabitEthernet1/0/5
IIF-ID: 0x1CD3690C
MAC Address: 0800.0fxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xx.xx.xx.xx
User-Name: 08-00-0F-xx.xx.xx
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 65535s (local), Remaining: 65392s
Timeout action: Reauthenticate
Acct update timeout: 172800s (local), Remaining: 172657s
Common Session ID: 04665B0A00054ECACF9C52A3
Acct Session ID: 0x000001a2
Handle: 0x5d0001bf
Current Policy: POLICY_Gi1/0/5


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
ACS ACL: xACSACLx-xx-xx-xxxx


Method status list:
Method State
dot1x Stopped
mab Authc Success

 

 

 

 

But this is what I'm seeing in the logs:

alliasneo1_0-1734355443576.png

 

Thanks for this. So, are those phones actually working and you are just concerned about the blank columns? or are they not working? if they are not working, what is it that is not working for those devices?

They are working so that's ok but up until today they have been authenticating correctly with the green tick but now every single phone is just coming through with the blue circle regardless of if I delete the phone from ISE and clear the session on the switch and unplug and plug back in

Ok. You might try to check if there is any suppression of the successful authentications configured in ISE, maybe this was configured recently? If so, disabling that feature should show you a log for each session rather than increasing their counters and consolidating them. However, as mentioned before the little circle logs are most likely showing up in your case because they are reauthentication sessions of the previous ones. More specifically when ISE receives a start accounting message for an authenticated session it shows the little circle log for it. To check the suppressions please go to "Administration > System > Settings > Protocols > RADIUS > Suppression & Reports". From there check if there is any tick box next to "Suppress repeated successful authentications". If there is one, please try to remove it and see if that makes any difference.

Suppress repeated successful authentications was ticked so I've now removed this.

Did it help? are you now getting the logs as you would expect them to be?

yeah I think that's got it. Thank you

No worries. Just as a recommendation you should keep the suppression turned on as per this doc, however, you can turn them off if you are troubleshooting something where you need to see all individual logs of each single session:

BRKSEC-2091