Problem with authentication based on MAC address

lnw-team · ‎08-01-2023

Hello,

I am experiencing problems with device authentication based on MAC address in one of our locations. It concerns collaboration devices that cannot be authenticated via certificate. There's a security policy on our Cisco ISE deployment that grants access based on a profile. All devices whose MAC address starts with xxxx.xx should be placed in a separate VLAN. We've got four access switches on site and authentication works fine on three of them. There's no NAD (network access device) condition in a policy. We've got other devices attached to the faulty switch and they are able to authenticate successfully via certificate (EAP-TLS) or other authentication method. It was working fine before but now when dot1x authentication is enabled on a switch port, the switch does not see even MAC address on the interface. Any ideas?

Thank you in advance!

Karsten Iwen · ‎08-01-2023

With this description, I assume that the last change messed up with the MAB config on the switch. Can you show the Interface-config?

lnw-team · ‎08-01-2023

MAB is enabled on a port. Interface configuration is the same as on other switches and ports.

Karsten Iwen · ‎08-01-2023

Does the switch initiate a MAB request? What do you see on the ISE?

lnw-team · ‎08-01-2023

The point is that I do not see any log messages.

Dustin Anderson · ‎08-01-2023

So, not seeing a mac on the interface is odd.

So, a couple questions.

1 Are these powered, or PoE devices?

2 Do they work if the port is set as just an access port?

3 Do you have any similar commands on the ports?

authentication order mab dot1x
authentication priority dot1x mab

authentication event fail action next-method

mab

4 What model switch are you using?

Even if everything is failing, you should get a mac on the port so long as the device is talking.

lnw-team · ‎08-02-2023

Hello,

1. These are not PoE devices. They have their own power supply.
2. They work when the port is set for access. No trunk is required.
3. I've got all those commands in interface configuration.
4. C3850

Dustin Anderson · ‎08-02-2023

ok, so I'm going to summarize from the messages, correct le if i'm wrong.

you have 4 switches in this location, EAP-TLS works on all 4, but MAB is not working on 1. I know you said when you enable dot1x, but that should be running for EAP-TLS, so I'm guessing you meant when you enable mab?

So, pardon if some of this is basic, but I started at a helpdesk.

1) you have rebooted the non working switch?

2) Are all 4 on the same code version?

3) When you enable MAB, does EAP-TLS keep working for other devices?

If the above 3 are yes, then you may need to compare configs from the working and non-working. I would mainly look at the radius and AAA commands. The only other port command I see for MAB is authentication port-control auto. i'm also assuming these work on the other 3 switches.

The odd part is the no mac address. If the switch doesn't get one it will not start MAB. So why does this switch not get a mac.

thomas · ‎08-01-2023

You have provided no actual ISE policy or LiveLog errors so it is difficult to know what your specific issue is. See How to Ask The Community for Help .

Meanwhile, you should see if any of the scenarios here address your issue:

Problem with authentication based on MAC address

▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20