Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
10
Helpful
4
Replies

MX67 using MAB with ISE2.7

Jim Blake
Level 1
Level 1

‎01-25-2021 11:46 AM - edited ‎01-25-2021 11:56 AM

Guys, this should be a simple problem, if I could just find the right documentation!

I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an ISE (v2.7) in the network at the MX84 end, so I know both ends work fine.

However, the user wants to authenticate devices with no supplicant, so needs to use MAB. The MX67 has an option to use MAB, but it fails (reject) despite the devices being configured in the ISE.

Other documentation I've found says that the ISE is looking for the "call-check" attribute when authenticating, but the MX67 doesn't provide it. As a result, the MAB fails, and indeed I can see failure notiifcations in the log and the traffic in the packet trace.

So I need to stop the ISE looking for the "call-check" attribute from the devices MAB-ing on the MX67, but I can't find anything that tells me how to do that or if its possible. Yes, I know it would be better to trunk a switch to the MX67 and do "normal" MAB on a "normal" switch port, that was my original response, but apparently a switch won't fit the budget.

If there is any document that says how to do it, can I have a link, or some idea of how to do the job. It sounds like just switching something off....?

 

Any hints will be gratefully recieved!

Thanks

Jim

1 person had this problem
0 Helpful
4 Replies 4

Panos Bouras
Level 1
Level 1

‎01-26-2021 08:32 AM

Hi @Jim Blake 

 

Can you share the output log from the failing radius request?

The "call-check" attribute is a build condition that is referenced once you use the condition of wired MAB in your policies.

2021-01-26 18_26_42-Identity Services Engine.png

 

You can create a policy set that filters on another condition e.g. NAS IP and this should get you going. Just remember to adjust your authentication policy for 802.1x and MAB

2021-01-26 18_31_12-Identity Services Engine – Mozilla Firefox.png

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

Jim Blake
Level 1
Level 1
In response to Panos Bouras

‎01-28-2021 08:33 AM

I've done a little more digging and its looking more convoluted

Looking at the ISE logs, it looks like we are actually getting USERNAME  back from the MX....see the attached snip

Now I'm not sure what is happening, I was expecting a MAC address to come back

Preview file
60 KB

Marcelo Morais
VIP
VIP
In response to Jim Blake

‎01-28-2021 08:57 AM

Hi @Jim Blake 

 for the USERNAME "issue" ... please in Administration > System > Settings > Security Settings, check the Disclose invalid username.

 

Hope this helps !!!

0 Helpful

Panos Bouras
Level 1
Level 1

‎01-28-2021 09:12 AM - edited ‎01-28-2021 09:37 AM

Hi @Jim Blake 

 

As Marcelo mentioned you see USERNAME because ISE is by default configured to mask unknown usernames with the word USERNAME.

I believe this is to prevent of disclosing passwords that get wrongly typed in the username field, usually by an autocomplete software.

Regarding original question you can handle the authentication under default policy or create a new policy with filter the NAS-IP Address of the MX, so you're not limited by the "call-check" predefined check on ISE.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents