Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18119
Views
101
Helpful
37
Replies

MAB not working

Stefan E.
Level 1
Level 1

‎01-15-2021 08:58 AM

Hello,

we are using 802.1x to authenticate our Clients.

As a fallback and for foreign devices we are using MAB.

Now we often met the issue, that also MAB is not working.

The authentication session does not start at all and there is no MAC Address visible.

As soon as we disable the authentication, the device can be connected succesfully, MAC is visible etc.

 

We met this issue with different Devices (e.g. Raspberry Pi, Printer) and on different Plattforms (e.g. 4506E, C9300).

 

Does anbody else facing such issues and may can provide a solution?

 

Thanks and est regards

Stefan

4 people had this problem
37 Replies 37

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-15-2021 09:09 AM

Please provide further information so the forum can better assist.  Information including switch config (interface/mab/dot1x/aaa configs).  Have you ran any debugs to further tshoot that you can share? Can you share any detail radius live logs from mab failures?

MHM Cisco World
VIP
VIP

‎01-15-2021 12:32 PM

Depend on,

priority and order,

share config if you can

0 Helpful

Stefan E.
Level 1
Level 1

‎01-15-2021 01:44 PM - edited ‎01-15-2021 01:48 PM

Hi,

of course i can share some more details:

Here the interface config:

interface GigabitEthernet3/37
 description [...]
 switchport access vlan 116
 switchport mode access
 switchport voice vlan 70
 authentication event fail action next-method
 authentication event server dead action authorize vlan 116
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 2
 dot1x max-req 4
 spanning-tree portfast
 ip dhcp snooping limit rate 50
end

In general, the authentication is working, as you can see here (other Ports on the same switch working fine with MAB and 802.1x):

Switch#sh authentication sessions interface 

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi2/37       e4e7.--------  dot1x   DATA    Auth      8D82[....]F4
Gi3/38       48ba.--------  mab     DATA    Auth      8D82[....]B4
Gi3/38       dca6.--------  mab     DATA    Auth      8D82[....]8C
Gi3/11       f430.--------  dot1x   DATA    Auth      8D82[....]64
Gi3/9        80e8.--------  dot1x   DATA    Auth      8D82[....]48
Gi3/8        c434.--------  dot1x   DATA    Auth      8D82[....]60
Gi3/38       309c.--------  mab     DATA    Auth      8D82[....]E4
Gi3/38       0080.--------  mab     DATA    Auth      8D82[....]A8
Gi2/29       901b.--------  mab     DATA    Auth      8D82[....]4C
Gi2/11       5838.--------  mab     DATA    Auth      8D82[....]D8
Gi3/14       0008.--------  dot1x   DATA    Auth      8D82[....]04
Gi3/13       1062.--------  dot1x   DATA    Auth      8D82[....]18

Session count = 12

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

 

But if i enable authentication of the port shown at the beginning of this post, nothing happens:

Switch#sh mac address-table interface Gi3/37
No entries present.

Switch#sh authentication sessions interface Gi3/37
No sessions match supplied criteria.

Runnable methods list:
  Handle  Priority  Name
    17       5      dot1x
    18       10     mab
    20       15     webauth

Same situation after waiting some minutes, some shut and no shuts and reload of the connected device.

 

As soon as i remove the authentication:

Switch#sh mac address-table interface GigabitEthernet3/37
Unicast Entries
 vlan     mac address     type        protocols               port
---------+---------------+--------+---------------------+-------------------------
 116      dca6.----------   dynamic ip                    GigabitEthernet3/37

It seems there is not received packet when authentication is enabled, and therefore the authentication will not start.

So i can't provide any logging from Cisco ISE.

But it makes no sense, because without authentication everything is fine.

 

Any ideas or more informations needed?

 

Best regards

Stefan

0 Helpful

Panos Bouras
Level 1
Level 1
In response to Stefan E.

‎01-26-2021 09:14 AM

Hi @Stefan E. 

 

I have seen some devices being very "quiet" when they connect to the network, especially older printers using external print servers. This means that the device will not send any packets out so no dot1x will be triggered. I had similar issues and the device would not send any packets for more than 5 minutes.

What might help you is put the following command under the specific interface and test to ping the specific device "authentication control-direction in" and try to ping the device from another node. Also try to shut and no shut the interface after you apply authentication commands.

If you have the ability to perform a packet capture via a SPAN port while you have applied the authentication commands and have it running as to see any packets send to from the device.

 

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Stefan E.
Level 1
Level 1
In response to Panos Bouras

‎01-26-2021 01:27 PM

Hi Panos,

thanks for your feedback and your tipps.

Was not aware of the mentioned command, will definitly try it.

But it's confusing, as i see the mac address right after removing the authentication.

Doesn't that mean, that the device is sending packets?

And also we met this issue even after the reload of the device (e.g. a printer) without success. I'm assuming that there should be traffic during the boot process in any case.

 

Best Regards

Stefan

0 Helpful

Panos Bouras
Level 1
Level 1
In response to Stefan E.

‎01-27-2021 04:52 AM

Hi Stefan,

 

If you have tried reloading the device then, assuming that it has a static IP, either the device is not initiating out any packets or there's something wrong with the switch (bug?) or a probe that the switch sends causes the device to fall back?

I'm not sure if the switch will initiate any probes out of the port when it will only see the line going up without first receiving any packets from the endpoint.

A theory in why you see the mac address when you remove the authentication is that then the port has no restrictions and the device could receive packets and reply (e.g. an ARP request). This is why I proposed to use the control direction in, as to allow the device to receive packets and try to respond, allowing the switch to populate the MAC from the endpoint reply.

I would setup a packet capture for both scenarios and repeat the exact same steps in order to try to understand what's going on.

Then maybe try a different switch in terms platform and version.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

MHM Cisco World
VIP
VIP

‎01-26-2021 12:04 PM - edited ‎01-27-2021 07:33 PM

..

0 Helpful

Stefan E.
Level 1
Level 1
In response to MHM Cisco World

‎01-26-2021 01:30 PM

Hello,

 

thanks for your feedback.

I can try this aswell, but if there would be any authentication starting, i should see it in the logging or with "sh authen session interface" command. But that's not the case. So why it should start the mab when he is not trying via 802.1x?

 

Best regards

Stefan

0 Helpful

MHM Cisco World
VIP
VIP

‎01-26-2021 12:05 PM - edited ‎01-27-2021 11:01 AM

I Now deep investigate this issue just give me some time.
OK friend  

MHM Cisco World
VIP
VIP

‎01-27-2021 01:33 PM

I figure out the issue here, 
auth timer reauth server.
Here what happened, " I take Printer as example"
1- SW send identity request, printer not response to this request since it not support 802.1x
2- SW start learn MAC address and first frame send from printer is the dhcp request,
3- SW send this mac to radius to auth and the radius reply with success BUT
also with reauth time.
4- SW start send receive from this port since the AuthC is success
5- Printer now get ip from dhcp
6- SW reauth time is end and SW start new 802.1x and remove mac from port
and it failed "as mention before printer not support 802.1x" it start MAB
BUT BUT here
SW start learn MAC but the printer not send dhcp because it already have ip and also it quite device i.e. it receive the order it not send frame
SW wait wait,
no mac learn on this port and hence nothing happened. 

we can approve that this is issue here with 
with the port that not learn mac we will force the printer to reassign new IP from dhcp.

please can you check this point.
Note:- please do that without the shutdown the printer, shutdown the printer make the SW  reauth automatically and we can not config that this is issue here.


solution:-
there is inactivity timer we can config it under each interface that we connect quite device, this make SW in case of inactivity only re learn the mac and start new MAB process.

Arne Bier
VIP
VIP
In response to MHM Cisco World

‎01-27-2021 10:00 PM

Hi @MHM Cisco World - nice analysis - do you happen to have that command for the inactivity timer?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Arne Bier

‎01-28-2021 05:52 AM

thanks a lot, 

the command is 

authentication timer inactivity {seconds | server}

Stefan E.
Level 1
Level 1
In response to MHM Cisco World

‎02-04-2021 12:56 PM

Hi MHM Cisco World,

 

wow. Thanks for your great analysis.

I'm not sure if this definitly will be the reson, but will keep in mind and check.

Till now we met this issue on different plattforms (C9300, 2960x C4506-E) and different types of devices (e.g. a Raspberry PI and a Audiocodes Phone). The "control-direction in" did not solve the issue.

Even when we had this configured, the Ping was not working and there was no MAC and no authentication visible.

 

Due to the actual Corona Homeoffice Situation i can't do a test with SPAN Port and Paket capture at the moment.
Will try this, as soon the situation has changed.

 

Thanks for your feedback.
I definitly appreciate all ideas on that topic.

0 Helpful

tcatanho
Level 1
Level 1

‎03-23-2022 08:39 AM

Hello,

This is subject is very important to me because I am also having this issue.

Most of the endpoints authenticate correctly with mab (these endpoints include computers, printers, RTUs, etc).

But in some cases, when connecting some Wave Quality Measure and a Deep Sea Electronics Generator, the behaviour of the CE is exactly the same as described by @Stefan E. 

 

This is a real example of an interface config:

 

interface FastEthernet0/7
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto 
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 10
 spanning-tree portfast edge
end

 

when I have this configured, doesn't arrive any packets in the interface. If I remove this configuration and do a simple access vlan config, communication starts working.

 

I can't understand why this is happening and I have tried all the solutions proposed by @MHM Cisco World, without success.

 

 

Thank you and best regards.

 

Customers Also Viewed These Support Documents