cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1625
Views
10
Helpful
4
Replies

MX67 using MAB with ISE2.7

Jim Blake
Level 1
Level 1

Guys, this should be a simple problem, if I could just find the right documentation!

I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an ISE (v2.7) in the network at the MX84 end, so I know both ends work fine.

However, the user wants to authenticate devices with no supplicant, so needs to use MAB. The MX67 has an option to use MAB, but it fails (reject) despite the devices being configured in the ISE.

Other documentation I've found says that the ISE is looking for the "call-check" attribute when authenticating, but the MX67 doesn't provide it. As a result, the MAB fails, and indeed I can see failure notiifcations in the log and the traffic in the packet trace.

So I need to stop the ISE looking for the "call-check" attribute from the devices MAB-ing on the MX67, but I can't find anything that tells me how to do that or if its possible. Yes, I know it would be better to trunk a switch to the MX67 and do "normal" MAB on a "normal" switch port, that was my original response, but apparently a switch won't fit the budget.

If there is any document that says how to do it, can I have a link, or some idea of how to do the job. It sounds like just switching something off....?

 

Any hints will be gratefully recieved!

Thanks

Jim

4 Replies 4

Panos Bouras
Level 1
Level 1

Hi @Jim Blake 

 

Can you share the output log from the failing radius request?

The "call-check" attribute is a build condition that is referenced once you use the condition of wired MAB in your policies.

2021-01-26 18_26_42-Identity Services Engine.png

 

You can create a policy set that filters on another condition e.g. NAS IP and this should get you going. Just remember to adjust your authentication policy for 802.1x and MAB

2021-01-26 18_31_12-Identity Services Engine – Mozilla Firefox.png

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

I've done a little more digging and its looking more convoluted

Looking at the ISE logs, it looks like we are actually getting USERNAME  back from the MX....see the attached snip

Now I'm not sure what is happening, I was expecting a MAC address to come back

Hi @Jim Blake 

 for the USERNAME "issue" ... please in Administration > System > Settings > Security Settings, check the Disclose invalid username.

 

Hope this helps !!!

Panos Bouras
Level 1
Level 1

Hi @Jim Blake 

 

As Marcelo mentioned you see USERNAME because ISE is by default configured to mask unknown usernames with the word USERNAME.

I believe this is to prevent of disclosing passwords that get wrongly typed in the username field, usually by an autocomplete software.

Regarding original question you can handle the authentication under default policy or create a new policy with filter the NAS-IP Address of the MX, so you're not limited by the "call-check" predefined check on ISE.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies