Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3952
Views
5
Helpful
6
Replies

Switch shows "Authorization Failed" but ISE shows "Auth Passed" and a session started?

jerdub1993
Level 1
Level 1

‎02-06-2021 11:10 AM

Hi,

I'm troubleshooting a device that's in an MAB group. When the device connects, the switch shows the following error:

%SESSION_MGR-5-FAIL:Switch 2 R0/0: smd: Authorization failed or unapplied for client (ACDB.DA57.22E4) on Interface GigabitEthernet2/0/37 AuditSessionID CD0423CB00020298782F989E

When I check the RADIUS Live Logs in ISE, it shows "Auth Passed" and a Session started. The last step is "Returned RADIUS Access-Accept". However, the status under Network Access > Identities > Endpoints shows "Disconnected".

 

The device is in an MAB group with an Authorization Rule configured to grant it an Authorization Profile for VLAN 286, which is configured as follows:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:286
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
Session-Timeout = 3600
Termination-Action = RADIUS-Request

I have another MAB group, Auth Rule, & Auth Profile for VLAN 283. The profile is configured the same except the tunnel-private-group-ID is 1:283 and "Reauthentication" is disabled so the last two lines don't apply.

If I switch the endpoint to the MAB group for VLAN 283, the endpoint shows connected (however I still can't ping the device, of course, because the IP is configured for VLAN 286).

 

The interface configuration is as follows:

switchport mode access
switchport voice vlan 286
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
spanning-tree portfast
spanning-tree bdpuguard enable

So why is it showing connected for the 283 MAB group but not 286? And when it's in the 286 MAB group, why would the switch say Authentication Failed when ISE says Auth Passed?

 

Any help is appreciated.

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎02-06-2021 02:33 PM

VLAN 283 is config as dot1x guest VLAN ?

this config make the SW check MAB then 802.1x and they must both success 

here I think you config if unknown MAB "guest" then ISE will dynamic select VLAN 283.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-06-2021 02:34 PM

high level I prefer to use the below order :

 

authentication order dot1x mab
authentication priority  dot1x mab
authentication event fail action next-method

 

is your case Phone and PC connected same port ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jerdub1993
Level 1
Level 1
In response to balaji.bandi

‎02-06-2021 06:51 PM - edited ‎02-06-2021 06:53 PM

This is a large enterprise network, so the same port config is applied to all of our end-user interfaces for simplicity, some are PCs that use dot1x and some are other devices that use MAB--the authorization rules will apply the appropriate profile. In this case, the device is connecting with MAB.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to jerdub1993

‎02-07-2021 03:19 AM

Sure if the device connected to MAB only, the device tries 802.1x wait for 21seconds (best approach of cisco), and then fall back to MAB if this is not working we need to investigate on ISE event logs.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎02-06-2021 07:08 PM

If the 283 is guest then 
change the priority to be mab dot1x ONLY


this make the device support 802.1x must be failed MAB.
device not support 802.1x will success authC AuthZ with MAB.

martin.fischer
Level 1
Level 1

‎02-09-2021 02:22 AM

Your switch shows an authorization failed message because VLAN 286 (which you want to assign) is configured as a Voice VLAN on your switchport (switchport voice vlan 286). But your authorization profile does not give permission to the voice VLAN:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:286
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
Session-Timeout = 3600
Termination-Action = RADIUS-Request
cisco-av-pair = device-traffic-class = voice <- MISSING 

So if VLAN 286 is indeed a voice VLAN than extend your authorization profile with the Voice Domain Permission. If it's not a voice VLAN than adjust/remove the switchport voice vlan command.

0 Helpful
Customers Also Viewed These Support Documents