MAB not working - Page 2

Stefan E. · ‎01-15-2021

Hello,

we are using 802.1x to authenticate our Clients.

As a fallback and for foreign devices we are using MAB.

Now we often met the issue, that also MAB is not working.

The authentication session does not start at all and there is no MAC Address visible.

As soon as we disable the authentication, the device can be connected succesfully, MAC is visible etc.

We met this issue with different Devices (e.g. Raspberry Pi, Printer) and on different Plattforms (e.g. 4506E, C9300).

Does anbody else facing such issues and may can provide a solution?

Thanks and est regards

Stefan

Arne Bier · ‎03-23-2022

Hi @tcatanho

What IOS / IOS-XE are you using?

I have been working with C9300 IOS-XE 17.6.2 recently and I have found a very nice config that works for me

I would say all the commands below make for a happy solution.

If you have endpoints that don't send any Ethernet packets, then MAB will not be triggered. The end device needs to send *something* to cause MAB to start. And if you want the device to stay connected, then do not return a session timeout via ISE - the switch will apply a session timeout value of N/A - but the Accounting will be sent every 48 hours to keep ISE session DB and License DB happy.

After applying the config to an interface, you sometimes have to "shut/no shut", or perform a "clear access-session int ..." to kick start the process. If the endpoint is still not creating a session (as seen in "show access-session int ..." then the client is the problem. In that case use static VLANs instead - and port security.

aaa new-model
!
!
aaa group server radius ISE
 server name nac1
 server name nac2
 deadtime 5
 retransmit 2
 timeout 5
 load-balance method least-outstanding
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
!
!
aaa session-id common
!
!
ip dhcp snooping vlan *** comma delimited list of VLANs to Snoop on *****
no ip dhcp snooping information option
ip dhcp snooping
!
!
!
epm logging
access-session attributes filter-list list FILTER_DS
 cdp
 lldp
 dhcp
access-session accounting attributes filter-spec include list FILTER_DS
device-tracking policy IPDT_POLICY
 security-level glean
 no protocol ndp
 no protocol udp
 tracking enable reachable-lifetime 10
!
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template CRITICAL_VOICE_VLAN
 description ** Apply voice vlan on AAA Fail **
 voice vlan
service-template CRITICAL_AUTH_VLAN
 description ** Apply data vlan on AAA Fail **
 vlan ***critical_VLAN****
service-template RESTRICTED_AUTH_VLAN
 description ** Apply RESTRICTED vlan on AAA Fail **
 vlan **** restricted_VLAN****
service-template IA-TIMER
 description ** Apply inactivity timer and ARP probe **
 inactivity-timer 60 probe
dot1x system-auth-control
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match result-type aaa-timeout
 match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
 match result-type aaa-timeout
 match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
 match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
 match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
 match method dot1x
 match result-type method dot1x method-timeout
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
 match activated-service-template RESTRICTED_AUTH_VLAN
 match activated-service-template CRITICAL_VOICE_VLAN
!
class-map type control subscriber match-all MAB
 match method mab
!
class-map type control subscriber match-all MAB_FAILED
 match method mab
 match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
 match activated-service-template RESTRICTED_AUTH_VLAN
 match activated-service-template CRITICAL_VOICE_VLAN
!
!
policy-map type control subscriber IDENTITY-POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template RESTRICTED_AUTH_VLAN
   20 activate service-template CRITICAL_VOICE_VLAN
   30 authorize
   40 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  50 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 activate service-template RESTRICTED_AUTH_VLAN
   30 authorize
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template IA-TIMER
!
!
template 802.1X
 dot1x pae authenticator
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan ****restricted_VLAN****
 switchport mode access
 switchport nonegotiate
 trust device cisco-phone
 mab
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber IDENTITY-POLICY
 description UserAccess 802.1X
 ip dhcp snooping limit rate 15
!

interface GigabitEthernet1/0/12
 description NAC Controlled Port
 switchport mode access
 switchport voice vlan ***voice_VLAN***
 device-tracking attach-policy IPDT_POLICY
 load-interval 30
 dot1x timeout tx-period 10
 no lldp transmit
 no lldp receive
 source template 802.1X
 spanning-tree portfast
!
ip radius source-interface ****vlan/interface****
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 2
radius-server deadtime 5
!
radius server nac1
 address ipv4 ***ISE1_IP*** auth-port 1812 acct-port 1813
 automate-tester username testuser idle-time 2
 key 0 ************
!
radius server nac2
 address ipv4 ***ISE2_IP*** auth-port 1812 acct-port 1813
 automate-tester username testuser idle-time 2
 key 0 *************
!

mac address-table notification change
no access-session mac-move deny

tcatanho · ‎03-24-2022

Hello @Arne Bier,

First of all I want o thank you for your time and fast reply.

I'm currently working with Cisco CGR2010 with GRWICDES Software (GRWICDES-IPSERVICESK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4).

@Arne Bier wrote:

If you have endpoints that don't send any Ethernet packets, then MAB will not be triggered.

The endpoint doesn't send any Ethernet packets after I configure the interface with MAB. If I remove this configuration, I start receiving packets and my mac-address table is updated.

@Arne Bier wrote:

After applying the config to an interface, you sometimes have to "shut/no shut", or perform a "clear access-session int ..."

I understand this, I have done it a few times with sucess, but in these specific cases where MAB is not working, this solution doesn't work either.

@Arne Bier wrote:

In that case use static VLANs instead - and port security.

Yes! I have been talking with my team, and the solution will most likely be this. But it is not the same as using MAB and ISE...

Best regards,

Tiago

MHM Cisco World · ‎03-23-2022

I interest in this case,
can you show
show auth session in port ?

tcatanho · ‎03-24-2022

Hello @MHM Cisco World,

Thank you for your reply.

I will give you some context on the work I am doing.

I have a an endpoint connected to a Cisco CGR2010 that authenticates via MAB-ISE.

When this endpoint was connected the first time, it worked perfectly. MAB authenticated with success.

Yesterday we had a minor power failure for a few minutes, and the Cisco CGR2010 reseted. After this reset, the endpoint didn't authenticate. I wasn't receiving any packets on the port, authentication was not happening with no change in configuration.

This endpoint is a generator to keep critical services running, so when this happened, I had to solve it fast. I did some troubleshooting with no sucess, I just did not had any packets on the interface. The solution was to remove the MAB config from the interface and give a simple "switchmode access vlan" and all good, but with no AAA.

Being this a very important endpoint, I can't just simply "manouver" it when I want. It was to be in my work hours, and I have to inform severall services and persons before I touch it.

@MHM Cisco World wrote:
show auth session in port ?

Yesterday when I was working in this, show authentication session interface fax/x, had the output. "No sessions match supplied criteria.".

But now this is where it gets funny... when I saw your reply today, I removed the "switchport access" configuration and replace it with MAB. Guess what? In seconds the endpoint authenticated and started communicating! (I have "debug mab all").

Now I want to say that this subject is resolved, but I don't feel confident. I'll try to run some "stress" tests today to see the behaviour and I will keep you updated. This stress test will try to repeat what happened yesterday (maybe by cold reseting the Cisco).

Thank you again for your time @MHM Cisco World

I hope I explained myself correctly.

tcatanho · ‎03-24-2022

Hello @MHM Cisco World ,

I just did the test, reseting the Cisco CGR2010 and did not work.

Here is the output of the command you asked for:

VIR-SW-01#sh authentication sessions interface fa0/4
No sessions match supplied criteria.

Runnable methods list:
  Handle  Priority  Name
    7        0      dot1xSupp
    6        5      dot1x
    8        10     mab
    14       15     webauth

VIR-SW-01#

and when I do show authentication session:

VIR-SW-01#sh authentication sessions 

Interface    Identifier     Method  Domain  Status Fg Session ID
Fa0/3        0000.2309.7ea2 mab     DATA    Auth      000000000000000D000140CC
Fa0/8        0080.2f17.e586 mab     DATA    Auth      000000000000000B00012441
Fa0/7        0000.2309.4386 mab     DATA    Auth      000000000000000C000124BF

Session count = 3

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker
VIR-SW-01#

As the output shows, I have 3 interfaces with MAB up and running, but interface Fa0/4 is not working correctly...

Best regards,

Tiago

MHM Cisco World · ‎03-24-2022

only under fa0/4

access-session control-direction in

shut /no shut interface

then do test again.

tcatanho · ‎03-24-2022

I have done it:

VIR-SW-01(config)#int fa0/4
VIR-SW-01(config-if)#access-session  control-direction in
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. 
Do you wish to continue? [yes]: yes
%Unidirectional control for authentication has no effect when portfast is disabled.

I lost the command show authentication

after this, the port configuration is:

interface FastEthernet0/4
 access-session control-direction in
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 10
 dot1x timeout tx-period 10
 spanning-tree portfast edge
end

I did shut, no shut the interface, but with no success. Communication was not working.

I did reload de Cisco CGR2010 (repeating the test) also with no success... communication is not working.

EDIT: port configuration was pasted wrong. now it is correct.

Arne Bier · ‎03-24-2022

Hello

First of all, the "authentication-session" vs "access-session" is a CLI change but the concept is the same. When you have access-session command then it means the IOS has been converted to the new syntax. I don't know what your switch is capable of but you should have a look at the Cisco Wired Access Prescriptive Guide for an overview of how MAB/802.1X is done on a Cisco Catalyst switch. There might be some command differences with your switch.

I sympathise with your situation - sometimes there are "dumb" endpoint devices that are not very friendly when trying to achieve a secure network. In my opinion, NAC works best in the enterprise (office). In other verticals like healthcare, manufacturing and audio/visual, the job gets harder and more "dangerous" to use NAC. In healthcare especially, when lives depend on NAC working. Here, you have to design you solution super resillient and have multiple paths to multiple ISE nodes to ensure that RADIUS never fails. That has to be an assumption. ISE never fails. If your switch relies on ISE to authenticate a port and gets no reply, then it has ONE chance to place the device in an "emergency" VLAN. Might be useful in some industries, but what if you have more than one critical VLAN? Switch can't decide without ISE. There are some clever tricks in IBNS 2.0 to "remember" previous endpoints and then assign them a profile in that event - but I don't think that feature helps when you connect a new device that the switch has never seen.

I digress.

How about dumb endpoints? By dumb, I mean, these endpoints don't send any ethernet packets when the switch port goes DOWN, then UP. Most enterprise devices detect this "link up" and then send SOMETHING. e.g. DHCP Discovery. Or perhaps the device has a heartbeat protocol running, or it's advertising some service via multicast/broadcast. I have personally had the same experience as you, but in my case the switch was a Meraki stack, and the device was a ceiling microphone. When the Meraki stack rebooted, the ceiling microphone didn't care and then of course didn't send a packet to the switch. End result: ceiling microphone is not working. Had to physically power cycle it to cause its device driver to send something. Bad news. We looked for options in the microphone software to see if it could be configured to send some keepalive etc. - it's just a simple device and the manufacturers are probably not even aware of this. Make your manufacturers aware and perhaps they will improve their products. The least you can do is to try and use DHCP if possible. But if link detection doesn't work then you're already dead in the water.

In my case, we reverted to port config to static VLAN with MAC Access control (e.g. limit the MAC addresses to 1 or 2). If you unplug the microphone and plug in a hacking device then then port shuts down and sends an alert.

Security is a goal we all aspire to and it's a good thing. But we also need to be realistic when we get devices that don't help our cause.

MHM Cisco World · ‎03-24-2022

About the IOS I also check and Yes it change the CLI to use new-style even if we not use auth convert-to new-style command. !!!

https://community.cisco.com/t5/switching/mab-or-802-1x-on-c4510r-e-doesn-t-start/td-p/2971601

please see above check debug mab all see if the same debug as this issue, if yes then try his way to solve the issue.

tcatanho · ‎03-25-2022

Hello @MHM Cisco World ,

Yes, first thing I did was to debug mab all, and I checked everything was working correctly.

Thank you for the article, I will read it.

Best regards,

Tiago

MHM Cisco World · ‎03-25-2022

Can you share the last config that work without any problem ? If you can.

Other doc. From cisco same issue different sw.

https://www.cisco.com › docsPDF
UCS Implementation with MAB/802.1x Authentication

tcatanho · ‎03-25-2022

Hello,

The config that it is working is simple switchport access vlan xx.

The global configuration I cannot share. Asked my network Architect and he said it's best not to share, or if I want to share I should cypher all IP addresses and vrf's. As you can imagine, that would take me a lot of time.

Thank you for the link you sent me (UCS Implementation with MAB/802.1x Authentication). We will integrate these equipments later this year for Data Center connections. All information is usefull.

Best regards,

Tiago

MHM Cisco World · ‎03-25-2022

You are so welcome friend.

tcatanho · ‎03-25-2022

Hello @Arne Bier ,

Firstly I want to send you a big thank you for your detailed answer, It helped me a lot (a gave you the "helpful star")

@Arne Bier wrote:

First of all, the "authentication-session" vs "access-session" is a CLI change but the concept is the same.

Yesterday I read a lot about it and understood it better. I am now more confortable with the new syntax.

@Arne Bier wrote:

In my opinion, NAC works best in the enterprise (office). In other verticals like healthcare, manufacturing and audio/visual, the job gets harder and more "dangerous" to use NAC.

We configured NAC only for management. The network I work on it's a critical services one (SCADA essentially). The network was projected to be the most redudant possible, so yes, we do have 2 ISE nodes. Redundacy is a MUST so we can guarantee continuity of service and resilence.

@Arne Bier wrote:

The least you can do is to try and use DHCP if possible.

All network is logically segmented, we provide a static IP for all endpoints connected in the Operational Network. DHCP is only working through IT services for the Administration Network.

@Arne Bier wrote:

In my case, we reverted to port config to static VLAN with MAC Access control (e.g. limit the MAC addresses to 1 or 2).

This will most likely be the solution we will implement. Since this is a big static Generator, it won't be "roaming" around the network. MAB is a good solution for an endpoint that will connect in different nodes of the network (at different times) and use ISE to check the if it has permission. (i.e. Quality of Energy Wave measurement)

This subject is solved for me.

Thank you again for your time and clear explanation

Best regards,

Tiago

Massimo Baschieri · ‎03-25-2022

@Arne Bier

Can you please elaborate the following statement of yourr?

"There are some clever tricks in IBNS 2.0 to "remember" previous endpoints and then assign them a profile in that event"

What are you referring to?

Thanks.