MAB not working - Page 3

Stefan E. · ‎01-15-2021

Hello,

we are using 802.1x to authenticate our Clients.

As a fallback and for foreign devices we are using MAB.

Now we often met the issue, that also MAB is not working.

The authentication session does not start at all and there is no MAC Address visible.

As soon as we disable the authentication, the device can be connected succesfully, MAC is visible etc.

We met this issue with different Devices (e.g. Raspberry Pi, Printer) and on different Plattforms (e.g. 4506E, C9300).

Does anbody else facing such issues and may can provide a solution?

Thanks and est regards

Stefan

Arne Bier · ‎03-26-2022

Hi Massimo

it is neatly summarised here

MHM Cisco World · ‎03-24-2022

this is from Cisco Doc. about
No sessions match supplied criteria.

can you do for the port and see the result,share here if you can.

Arne Bier · ‎03-23-2022

A Cisco phone

s112#show access-session int gi 1/0/12 details
            Interface:  GigabitEthernet1/0/12
               IIF-ID:  0x1EA91FCE
          MAC Address:  885a.92d9.d0f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.49.44.30
            User-Name:  88-5A-92-D9-D0-F7
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 170391s
    Common Session ID:  420D020A00000635B8E2D488
      Acct Session ID:  0x00000605
               Handle:  0x3e00062b
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: IA-TIMER (priority 150)
         Idle timeout: 60 sec

Server Policies:
           Vlan Group:  Name: Unified_Comms_VLAN_Group,  Vlan: 1208


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

And a Windows laptop (using 802.1X supplicant)

s112#show access-session int gi 1/0/6 details
            Interface:  GigabitEthernet1/0/6
               IIF-ID:  0x1B45AC5B
          MAC Address:  3c97.0e1c.12f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.48.0.10
            User-Name:  3C-97-0E-1C-12-F7
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  65535s (server), Remaining: 63037s
       Timeout action:  Reauthenticate
  Acct update timeout:  172800s (local), Remaining: 170302s
    Common Session ID:  420D020A00000633B8E18E22
      Acct Session ID:  0x00000603
               Handle:  0xc2000629
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: IA-TIMER (priority 150)
         Idle timeout: 60 sec

Server Policies:
      Session-Timeout: 65535 sec
           Vlan Group:  Vlan: 1100


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

When I block all RADIUS traffic to ISE, then it fails the auth and I see this (as expected - emergency VLANs in place)

s112#show access-session interface gig 1/0/12 details
            Interface:  GigabitEthernet1/0/12
               IIF-ID:  0x19038741
          MAC Address:  885a.92d9.d0f7
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  885a92d9d0f7
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 172778s
    Common Session ID:  420D020A00000631B8E01186
      Acct Session ID:  0x00000602
               Handle:  0xdd000627
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: CRITICAL_VOICE_VLAN (priority 150)
           Voice Vlan:  Vlan: 1208
        Service Template: RESTRICTED_AUTH_VLAN (priority 150)
           Vlan Group:  Vlan: 1001

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Failed






s112#show access-session interface gig 1/0/6 details
            Interface:  GigabitEthernet1/0/6
               IIF-ID:  0x1E348BE0
          MAC Address:  3c97.0e1c.12f7
         IPv6 Address:  Unknown
         IPv4 Address:  10.48.0.10
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  172800s (local), Remaining: 172759s
    Common Session ID:  420D020A00000632B8E0AFAB
      Acct Session ID:  0x00000601
               Handle:  0x9c000628
       Current Policy:  IDENTITY-POLICY


Local Policies:
        Service Template: CRITICAL_VOICE_VLAN (priority 150)
           Voice Vlan:  Vlan: 1208
        Service Template: RESTRICTED_AUTH_VLAN (priority 150)
           Vlan Group:  Vlan: 1001

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Failed

Interestingly, if the laptop were connected to the back of the phone, then a disaster could happen if the phone were to be in the DATA VLAN for some reason (e.g. it failed ISE auth and landed in a DATA VLAN)... the port shut would then shut down in err-disabled. Why? Because that is the expected result of multi-domain mode - it only allows one MAC address in the DATA domain.

There is no easy way around this. One way might be to enable multi-auth mode, but then it's less secure. But only happens if the phone is in the DATA domain ... which normally should not be the case.

MHM Cisco World · ‎03-23-2022

Thanks for sharing this info.

SysAdminPilot · ‎03-15-2024

Hi guys, we have same problem. I follow all your suggest without any result. I use Cisco C9200L-48P-4X 17.09.04a.

Have an update for this topic?

Best!

Arne Bier · ‎03-15-2024

@SysAdminPilot I recommend starting a new thread (new Discussion) because this one is already very long, and besides, you have not explained any useful details about your problem.

SysAdminPilot · ‎03-18-2024

Thanks Arne for your suggestion. I starting new thread soon with all details.

Thanks!