08-01-2022 08:08 AM
Hi team,
I am getting continuous authentication failed messages when ever any desktop is connected to switch.
It seems in logs in Username field I am getting mac address that mac ISE is searching in ad which ISE will not find ever.
Once it fails it goes to mab for which i have set deny access
Can you please help to resolve this Username issue?
Thanking you in advance.
Best regards,
prathamesh Padosakar
@ciscoCommunity @dot1x
08-01-2022 08:59 AM
- It depends on your ISE policies , if you do a radius / device authentication only , it is normal to show mac as user id. You need to get into dot1x and or with supplicant based authentication to get further then that and adapt ISE NAC policies accordingly.
M.
08-01-2022 01:39 PM
Hi @prathamesh002 - I have a feeling that you are using IBNS 2.0 style configuration and that you're allowing 802.1X and MAB to be processed in parallel.
policy-map type control subscriber PARALLEL-POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
If you're confident that you can do one after the other, then try 802.1X first, followed by MAB if 802.1X fails/doesn't respond.
policy-map type control subscriber ISE_AUTH_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
08-15-2022 04:08 PM
A MAC address for the username implies MAC Authentication Bypass (MAB) is being done, not 802.1X.
See How to Ask The Community for Help for examples of the kinds of details we need.... just like TAC would request to help you troubleshoot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide