Solved: Re: MAB not working correctly

alliasneo1 · ‎12-16-2024

Hi, I've got a bit of a strange one. This was all working fine but I've come in today and the Mitel phones are not authenticating correctly. Some seem to be going through the live logs fine but others have the blue circle for 'session' and then never authenticate with the green tick. The only difference I can see from the Live Logs from that ones that are authenticating ok vs the ones that aren't is that under 'Network Devices' column and 'Identity Group' they are blank.

Aref Alsouqi · ‎12-16-2024

Ok. You might try to check if there is any suppression of the successful authentications configured in ISE, maybe this was configured recently? If so, disabling that feature should show you a log for each session rather than increasing their counters and consolidating them. However, as mentioned before the little circle logs are most likely showing up in your case because they are reauthentication sessions of the previous ones. More specifically when ISE receives a start accounting message for an authenticated session it shows the little circle log for it. To check the suppressions please go to "Administration > System > Settings > Protocols > RADIUS > Suppression & Reports". From there check if there is any tick box next to "Suppress repeated successful authentications". If there is one, please try to remove it and see if that makes any difference.

View solution in original post

Aref Alsouqi · ‎12-16-2024

Did it help? are you now getting the logs as you would expect them to be?

View solution in original post

MHM Cisco World · ‎12-16-2024

There are many things make MAB failed'

Since you see device network in log live I will start from SW

In SW do

Show aaa server <<- share it here

MHM

alliasneo1 · ‎12-16-2024

sh aaa servers show both of my servers as being up

MHM Cisco World · ‎12-16-2024

can I see output please

MHM

alliasneo1 · ‎12-16-2024

#sh aaa servers

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1812, acct-port 1813, hostname xxxxxxxxxx

State: current UP, duration 4294967s, previous duration 600s

Dead: total time 600s, count 1

Platform State from SMD: current UP, duration 4294967s, previous duration 600s

SMD Platform Dead: total time 2400s, count 4

Platform State from WNCD (1) : current UP

Platform State from WNCD (2) : current UP

Platform State from WNCD (3) : current UP

Platform State from WNCD (4) : current UP

Platform State from WNCD (5) : current UP

Platform State from WNCD (6) : current UP

Platform State from WNCD (7) : current UP

Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

Platform Dead: total time 0s, count 0UP

Quarantined: No

Authen: request 32288, timeouts 37, failover 4, retransmission 27

Response: accept 327, reject 30824, challenge 1100

Response: unexpected 0, server error 0, incorrect 0, time 114ms

Transaction: success 32251, failure 10

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Dot1x transactions:

Response: total responses: 1241, avg response time: 13ms

Transaction: timeouts 0, failover 0

Transaction: total 141, success 141, failure 0

MAC auth transactions:

Response: total responses: 31010, avg response time: 118ms

Transaction: timeouts 10, failover 4

Transaction: total 31020, success 186, failure 30834

Author: request 52, timeouts 0, failover 0, retransmission 0

Response: accept 52, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 2ms

Transaction: success 52, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

MAC author transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

Account: request 664, timeouts 5, failover 0, retransmission 4

Request: start 124, interim 0, stop 121

Response: start 124, interim 0, stop 121

Response: unexpected 0, server error 0, incorrect 0, time 8ms

Transaction: success 659, failure 1

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Elapsed time since counters last cleared: 11w2d23h26m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Consecutive Response Failures: total 6

SMD Platform : max 3, current 0 total 6

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Consecutive Timeouts: total 29

SMD Platform : max 11, current 0 total 27

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 2, current 2 total 2

Requests per minute past 24 hours:

high - 23 hours, 25 minutes ago: 0

low - 23 hours, 25 minutes ago: 0

average: 0

RADIUS: id 2, priority 2, host xx.xx.xx.xx, auth-port 1812, acct-port 1813, hostname xxxxxxxxxxxx

State: current UP, duration 4294967s, previous duration 0s

Dead: total time 0s, count 0

Platform State from SMD: current UP, duration 3328269s, previous duration 600s

SMD Platform Dead: total time 620s, count 2

Platform State from WNCD (1) : current UP

Platform State from WNCD (2) : current UP

Platform State from WNCD (3) : current UP

Platform State from WNCD (4) : current UP

Platform State from WNCD (5) : current UP

Platform State from WNCD (6) : current UP

Platform State from WNCD (7) : current UP

Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s

Platform Dead: total time 0s, count 0UP

Quarantined: No

Authen: request 58, timeouts 16, failover 10, retransmission 10

Response: accept 0, reject 42, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 131ms

Transaction: success 42, failure 6

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Dot1x transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

MAC auth transactions:

Response: total responses: 42, avg response time: 131ms

Transaction: timeouts 6, failover 10

Transaction: total 48, success 0, failure 48

Author: request 0, timeouts 0, failover 0, retransmission 0

Response: accept 0, reject 0, challenge 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

MAC author transactions:

Response: total responses: 0, avg response time: 0ms

Transaction: timeouts 0, failover 0

Transaction: total 0, success 0, failure 0

Account: request 1, timeouts 0, failover 1, retransmission 0

Request: start 0, interim 0, stop 0

Response: start 0, interim 0, stop 0

Response: unexpected 0, server error 0, incorrect 0, time 96ms

Transaction: success 1, failure 0

Throttled: transaction 0, timeout 0, failure 0

Malformed responses: 0

Bad authenticators: 0

Elapsed time since counters last cleared: 11w2d23h26m

Estimated Outstanding Access Transactions: 0

Estimated Outstanding Accounting Transactions: 0

Estimated Throttled Access Transactions: 0

Estimated Throttled Accounting Transactions: 0

Maximum Throttled Transactions: access 0, accounting 0

Consecutive Response Failures: total 4

SMD Platform : max 3, current 0 total 4

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Consecutive Timeouts: total 14

SMD Platform : max 11, current 0 total 14

WNCD Platform: max 0, current 0 total 0

IOSD Platform : max 0, current 0 total 0

Requests per minute past 24 hours:

high - 23 hours, 25 minutes ago: 0

low - 23 hou

MHM Cisco World · ‎12-16-2024

I will send you PM

thanks

MHM

Aref Alsouqi · ‎12-16-2024

The little circle suggests a reauthentication session, so those ones are good logs. However, the ones with the green tick suggest a new authentication session. If you open one of the ones with the little circle you should still see some details about the session.

If you want to try to trigger a new authentication for one of those phones that seem to have issues, then I should suggest to shutdown a switch port where a phone is connected, go to ISE and remove that device MAC address, and then finally unshut the switch port. This way the phone will be treated as a new device from ISE perspective.

This still doesn't help understanding why you are experiencing this behaviour with some phones. However, some devices might have a flaw in their firmware, so I highly recommend looking into the latest firmware and if available to trying to upgrade them. In the meantime and before you change anything, could you please share the output of the command "sh authentication sessions interface < the interface where a phone is connected > details" of an interface where you have one of those unstable phones connected for review?

alliasneo1 · ‎12-16-2024

I've tried the re-authentication but that hasn't had an impact. When I run #sh authentication session for the interface it shows that the phone has authenticated succesfully under MAB:

----------------------------------------

Interface: GigabitEthernet1/0/5
IIF-ID: 0x1CD3690C
MAC Address: 0800.0fxx.xxxx
IPv6 Address: Unknown
IPv4 Address: xx.xx.xx.xx
User-Name: 08-00-0F-xx.xx.xx
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 65535s (local), Remaining: 65392s
Timeout action: Reauthenticate
Acct update timeout: 172800s (local), Remaining: 172657s
Common Session ID: 04665B0A00054ECACF9C52A3
Acct Session ID: 0x000001a2
Handle: 0x5d0001bf
Current Policy: POLICY_Gi1/0/5

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
ACS ACL: xACSACLx-xx-xx-xxxx

Method status list:
Method State
dot1x Stopped
mab Authc Success

But this is what I'm seeing in the logs:

Aref Alsouqi · ‎12-16-2024

Thanks for this. So, are those phones actually working and you are just concerned about the blank columns? or are they not working? if they are not working, what is it that is not working for those devices?

alliasneo1 · ‎12-16-2024

They are working so that's ok but up until today they have been authenticating correctly with the green tick but now every single phone is just coming through with the blue circle regardless of if I delete the phone from ISE and clear the session on the switch and unplug and plug back in

Aref Alsouqi · ‎12-16-2024

Ok. You might try to check if there is any suppression of the successful authentications configured in ISE, maybe this was configured recently? If so, disabling that feature should show you a log for each session rather than increasing their counters and consolidating them. However, as mentioned before the little circle logs are most likely showing up in your case because they are reauthentication sessions of the previous ones. More specifically when ISE receives a start accounting message for an authenticated session it shows the little circle log for it. To check the suppressions please go to "Administration > System > Settings > Protocols > RADIUS > Suppression & Reports". From there check if there is any tick box next to "Suppress repeated successful authentications". If there is one, please try to remove it and see if that makes any difference.

alliasneo1 · ‎12-16-2024

Suppress repeated successful authentications was ticked so I've now removed this.

Aref Alsouqi · ‎12-16-2024

Did it help? are you now getting the logs as you would expect them to be?

alliasneo1 · ‎12-16-2024

yeah I think that's got it. Thank you

Aref Alsouqi · ‎12-16-2024

No worries. Just as a recommendation you should keep the suppression turned on as per this doc, however, you can turn them off if you are troubleshooting something where you need to see all individual logs of each single session:

BRKSEC-2091