Hello @Arne Bier,

First of all I want o thank you for your time and fast reply.

I'm currently working with Cisco CGR2010 with GRWICDES Software (GRWICDES-IPSERVICESK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4).

---

@Arne Bier wrote:

If you have endpoints that don't send any Ethernet packets, then MAB will not be triggered.

---

The endpoint doesn't send any Ethernet packets after I configure the interface with MAB. If I remove this configuration, I start receiving packets and my mac-address table is updated.

---

@Arne Bier wrote:

After applying the config to an interface, you sometimes have to "shut/no shut", or perform a "clear access-session int ..."

---

I understand this, I have done it a few times with sucess, but in these specific cases where MAB is not working, this solution doesn't work either.

---

@Arne Bier wrote:

In that case use static VLANs instead - and port security. 

Yes! I have been talking with my team, and the solution will most likely be this. But it is not the same as using MAB and ISE...

Best regards,

Tiago

I interest in this case, 
can you show 
show auth session in port ?

Hello @MHM Cisco World,

Thank you for your reply.

I will give you some context on the work I am doing.

I have a an endpoint connected to a Cisco CGR2010 that authenticates via MAB-ISE.

When this endpoint was connected the first time, it worked perfectly. MAB authenticated with success.

Yesterday we had a minor power failure for a few minutes, and the Cisco CGR2010 reseted. After this reset, the endpoint didn't authenticate. I wasn't receiving any packets on the port, authentication was not happening with no change in configuration.

This endpoint is a generator to keep critical services running, so when this happened, I had to solve it fast. I did some troubleshooting with no sucess, I just did not had any packets on the interface. The solution was to remove the MAB config from the interface and give a simple "switchmode access vlan" and all good, but with no AAA.

Being this a very important endpoint, I can't just simply "manouver" it when I want. It was to be in my work hours, and I have to inform severall services and persons before I touch it.

---

@MHM Cisco World wrote:

show auth session in port ?

---

Yesterday when I was working in this, show authentication session interface fax/x, had the output. "No sessions match supplied criteria.".

But now this is where it gets funny... when I saw your reply today, I removed the "switchport access" configuration and replace it with MAB. Guess what? In seconds the endpoint authenticated and started communicating! (I have "debug mab all").

Now I want to say that this subject is resolved, but I don't feel confident. I'll try to run some "stress" tests today to see the behaviour and I will keep you updated. This stress test will try to repeat what happened yesterday (maybe by cold reseting the Cisco).

Thank you again for your time @MHM Cisco World 

I hope I explained myself correctly.

Hello @MHM Cisco World ,

I just did the test, reseting the Cisco CGR2010 and did not work.

Here is the output of the command you asked for:

---

VIR-SW-01#sh authentication sessions interface fa0/4
No sessions match supplied criteria.

Runnable methods list:
  Handle  Priority  Name
    7        0      dot1xSupp
    6        5      dot1x
    8        10     mab
    14       15     webauth

VIR-SW-01#

---

and when I do show authentication session:

VIR-SW-01#sh authentication sessions 

Interface    Identifier     Method  Domain  Status Fg Session ID
Fa0/3        0000.2309.7ea2 mab     DATA    Auth      000000000000000D000140CC
Fa0/8        0080.2f17.e586 mab     DATA    Auth      000000000000000B00012441
Fa0/7        0000.2309.4386 mab     DATA    Auth      000000000000000C000124BF

Session count = 3

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker
VIR-SW-01#

As the output shows, I have 3 interfaces with MAB up and running, but interface Fa0/4 is not working correctly...

Best regards,

Tiago

only under fa0/4

I have done it:

VIR-SW-01(config)#int fa0/4
VIR-SW-01(config-if)#access-session  control-direction in
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. 
Do you wish to continue? [yes]: yes
%Unidirectional control for authentication has no effect when portfast is disabled.

I lost the command show authentication

after this, the port configuration is:

interface FastEthernet0/4
 access-session control-direction in
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 10
 spanning-tree portfast edge
end

I did shut, no shut the interface, but with no success. Communication was not working.

I did reload de Cisco CGR2010 (repeating the test) also with no success... communication is not working.

EDIT: port configuration was pasted wrong. now it is correct.

Hello

First of all, the "authentication-session" vs "access-session" is a CLI change but the concept is the same. When you have access-session  command then it means the IOS has been converted to the new syntax. I don't know what your switch is capable of but you should have a look at the Cisco Wired Access Prescriptive Guide  for an overview of how MAB/802.1X is done on a Cisco Catalyst switch. There might be some command differences with your switch.

I sympathise with your situation - sometimes there are "dumb" endpoint devices that are not very friendly when trying to achieve a secure network. In my opinion, NAC works best in the enterprise (office). In other verticals like healthcare, manufacturing and audio/visual, the job gets harder and more "dangerous" to use NAC. In healthcare especially, when lives depend on NAC working. Here, you have to design you solution super resillient and have multiple paths to multiple ISE nodes to ensure that RADIUS never fails. That has to be an assumption. ISE never fails. If your switch relies on ISE to authenticate a port and gets no reply, then it has ONE chance to place the device in an "emergency" VLAN. Might be useful in some industries, but what if you have more than one critical VLAN? Switch can't decide without ISE. There are some clever tricks in IBNS 2.0 to "remember" previous endpoints and then assign them a profile in that event - but I don't think that feature helps when you connect a new device that the switch has never seen.  

I digress.

How about dumb endpoints? By dumb, I mean, these endpoints don't send any ethernet packets when the switch port goes DOWN, then UP. Most enterprise devices detect this "link up" and then send SOMETHING. e.g. DHCP Discovery. Or perhaps the device has a heartbeat protocol running, or it's advertising some service via multicast/broadcast. I have personally had the same experience as you, but in my case the switch was a Meraki stack, and the device was a ceiling microphone. When the Meraki stack rebooted, the ceiling microphone didn't care and then of course didn't send a packet to the switch. End result: ceiling microphone is not working. Had to physically power cycle it to cause its device driver to send something. Bad news. We looked for options in the microphone software to see if it could be configured to send some keepalive etc. - it's just a simple device and the manufacturers are probably not even aware of this. Make your manufacturers aware and perhaps they will improve their products. The least you can do is to try and use DHCP if possible. But if link detection doesn't work then you're already dead in the water.

In my case, we reverted to port config to static VLAN with MAC Access control (e.g. limit the MAC addresses to 1 or 2). If you unplug the microphone and plug in a hacking device then then port shuts down and sends an alert. 

Security is a goal we all aspire to and it's a good thing. But we also need to be realistic when we get devices that don't help our cause. 

About the IOS I also check and Yes it change the CLI to use new-style even if we not use auth convert-to new-style command.  !!!

https://community.cisco.com/t5/switching/mab-or-802-1x-on-c4510r-e-doesn-t-start/td-p/2971601

please see above check debug mab all see if the same debug as this issue, if yes then try his way to solve the issue.

Hello @MHM Cisco World ,

Yes, first thing I did was to debug mab all, and I checked everything was working correctly. 

Thank you for the article, I will read it.

Best regards,

Tiago

Can you share the last config that work without any problem ? If you can.

Other doc. From cisco same issue different sw.

https://www.cisco.com › docsPDF
UCS Implementation with MAB/802.1x Authentication

Hello,

The config that it is working is simple switchport access vlan xx.

The global configuration I cannot share. Asked my network Architect and he said it's best not to share, or if I want to share I should cypher all IP addresses and vrf's. As you can imagine, that would take me a lot of time.

Thank you for the link you sent me (UCS Implementation with MAB/802.1x Authentication). We will integrate these equipments later this year for Data Center connections. All information is usefull.

Best regards,

Tiago

You are so welcome friend.

Hello @Arne Bier ,

Firstly I want to send you a big thank you for your detailed answer, It helped me a lot (a gave you the "helpful star")

---

@Arne Bier wrote:

First of all, the "authentication-session" vs "access-session" is a CLI change but the concept is the same.

 

---

Yesterday I read a lot about it and understood it better. I am now more confortable with the new syntax.

---

@Arne Bier wrote:

In my opinion, NAC works best in the enterprise (office). In other verticals like healthcare, manufacturing and audio/visual, the job gets harder and more "dangerous" to use NAC.

 

---

We configured NAC only for management. The network I work on it's a critical services one (SCADA essentially). The network was projected to be the most redudant possible, so yes, we do have 2 ISE nodes. Redundacy is a MUST so we can guarantee continuity of service and resilence.

---

@Arne Bier wrote:

 

The least you can do is to try and use DHCP if possible.

 

All network is logically segmented, we provide a static IP for all endpoints connected in the Operational Network. DHCP is only working through IT services for the Administration Network. 

---

@Arne Bier wrote:

 

In my case, we reverted to port config to static VLAN with MAC Access control (e.g. limit the MAC addresses to 1 or 2).

 

This will most likely be the solution we will implement. Since this is a big static Generator, it won't be "roaming" around the network. MAB is a good solution for an endpoint that will connect in different nodes of the network (at different times) and use ISE to check the if it has permission. (i.e. Quality of Energy Wave measurement)

This subject is solved for me.

Thank you again for your time and clear explanation

Best regards,

Tiago

@Arne Bier 

Can you please elaborate the following statement of yourr?

"There are some clever tricks in IBNS 2.0 to "remember" previous endpoints and then assign them a profile in that event"

What are you referring to?

Thanks.