Re: UnAuthorized even after adding mac address in group bypass MAC list. d:NA UZ

getaway51 · ‎07-30-2020

Hi,

I found a very strange issue here. I have included the mac address in the bypass list but however it doesnt seems to get authenticated , always remain as UZ. Therefore once CLOSED mode enforced, the device port Gi1/0/46 gets DROP

Anyone has any idea please? I am really stuck!

CMX003#sh auth br
Interface MAC Address AuthC AuthZ Fg Uptime
-----------------------------------------------------------------------------
Gi1/0/46 084f.a566.a118 d:NA UZ: SA- FA- X 43s

sh mac address-table

804 084f.a566.a118 DYNAMIC Drop
804 084f.a9b6.a11f DYNAMIC Gi1/0/48

thomas · ‎07-31-2020

Please see How to Ask the Community for Help to provide more details.

Unclear what you are doing, why you are doing it, switch model, software version, switchport config, ISE matching authorization rule, result, etc.

getaway51 · ‎07-31-2020

Hello,

Question(s): Even after adding MAC address of device in MAB group, the switch still shows UZ (status Unauthorized in switch-sh auth br) and ISE doesnt shows any info the MAC address attached to a switch like usual (just have a record of MAC address under context visibility).

Goal:Any device MAC address added into the MAB group in ISE policy will be AZ (status authorized in switch-sh auth br).

Errors: sh auth br - d:NA UZ

poongarg · ‎08-08-2020

Take the packet capture on ISE Node to check the RADIUS Access-Request packets from the switch and simultaneous debugs for aaa authentication and radius on the switch to correlate the issue.
Also provide the HW/SW of the switch along with the port configuration.