Solved: Operational Issues in Wired 802.1x

titusroz03 · ‎02-22-2024

Hi All,

I have started building policy sets in ISE w.r.t wired 802.1x and mab in ISE and have configured switch for the same. But couldn't make the auth success.

Switch logs:-

*Feb 21 10:47:54.751: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (6c24.08e2.fd35) with reason (No Response from Client) on Interface Gi1/0/3 AuditSessionID 0720C80A0000023CCB3F365A
*Feb 21 10:47:54.980: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (6c24.08e2.fd35) with reason (Cred Fail) on Interface Gi1/0/3 AuditSessionID 0720C80A0000023CCB3F365A
*Feb 21 10:47:54.982: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (6c24.08e2.fd35) on Interface GigabitEthernet1/0/3 AuditSessionID 0720C80A0000023CCB3F365A. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Have attached the policy set and ISE logs

Karsten Iwen · ‎02-22-2024

It seems that you don't match the correct policy. Based on your screenshot which doesn't show everything that is relevant, and your authentication details, I expect that your Policy-Set conditions are not correct. In addition to that, your MAB and .1X conditions are more complex than needed. There are predefined conditions for this in the library.

View solution in original post

Karsten Iwen · ‎02-22-2024

It seems that you don't match the correct policy. Based on your screenshot which doesn't show everything that is relevant, and your authentication details, I expect that your Policy-Set conditions are not correct. In addition to that, your MAB and .1X conditions are more complex than needed. There are predefined conditions for this in the library.

titusroz03 · ‎02-22-2024

My policy set is if Wired mab or dot1x must hit the policy ,and it didn't work. So I added the NAS ip into condition.Could you refer any links or screenshots with relevant policy for wired mab or 802.1x

MHM Cisco World · ‎02-22-2024

Yes that in my exactly what in my mind
the policy set condition match the NAD IP and auth policy will then use for MAB and dot1x

Cisco ISE (Radius Server) MAB with Wired Dot1X Authentication configuration || EVE-NG Full Lab (youtube.com)

MHM

Karsten Iwen · ‎02-22-2024

Is the Policy-Set "UK-Split-Tunnel-Policy" the one you are showing in the screenshot above and which you want to match? From the name, likely not.

Dustin Anderson · ‎02-22-2024

As Karsten mentioned, you may not want to combine policy sets, and there are pre-defined. Here is how ours are set. Now you are calling the same as the defined, so should work. It says cred fail, so what does the log show on ISE? Is it hitting the default policy set skipping this one? Log only shows cred fail as reason.

titusroz03 · ‎02-22-2024

Above is the policy set screenshot were the traffic hits the UK-Split ,but not the one(Wired authentication) which I expect to.. I am not sure what makes the traffic to hit a different policy, either due to the switch config or the endpoint.. Need to analyze this deeply.
Let me put a Wireshark trace on the endpoint towards ise and will see.. Meanwhile get me if any suggestions or thoughts..

Karsten Iwen · ‎02-22-2024

Based on the config, it shouldn't hit the first policy. Try moving your new policy set to the beginning. The conditions are evaluated top-down.

titusroz03 · ‎02-22-2024

I tried to bring policy up,but now I couldn't see any hits on the ISE.

I can confirm the radius reachability from switch

test aaa group radius server 10.100.1.163

Attempting authentication test to server-group radius using radius
User was successfully authenticated.

But when I enable auth open on the port it works. When I take it off it doesn't

Aref Alsouqi · ‎02-23-2024

Could it be that the switch has multiple IP addresses and it is not using the IP 10.200.32.7 to relay RADIUS traffic to ISE? If that would be the case you can specify the interface that you want the switch to use to send RADIUS traffic with the command "ip radius source-interface < the SVI name >".