Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3306
Views
0
Helpful
2
Replies

Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

Madura Malwatte
Level 4
Level 4

‎04-23-2021 07:34 AM

I hit this behaviour while a typo was made putting in 802.1x config to a cisco 2960x switch running 15.2(2) with IBNS 2.0.

A typo was made when putting in the following two lines of config below, instead of ISE_RADIUS I had ISE_RADIUSB which obviously didn't exist as a radius group in my config:

aaa authorization network default group ISE_RADIUSB

aaa authorization auth-proxy default group ISE_RADIUSB

 

So afterwards, some devices then didnt seem to get authorized and I saw the following:

Switch#show access-s int gig 1/0/24 de

            Interface:  GigabitEthernet1/0/24

          MAC Address:  a023.abcd.2f3c

         IPv6 Address:  Unknown

         IPv4 Address:  10.10.1.2

            User-Name:  a023abcd2f3c

               Status:  Unauthorized

               Domain:  UNKNOWN

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  N/A

       Session Uptime:  71607s

    Common Session ID:  0AF23215000002BE5F0DE098

      Acct Session ID:  Unknown

               Handle:  0x75000006

       Current Policy:  DOT1X-DEFAULT

 

Local Policies:

         OPEN DIR ACL:  Open-Dir-ACL

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Failed

 

After fixing up the typo in my config, the endpoints seemed to indefinitely remain in this "Authc Failed" state. I went and then manually cleared the access-session, then the endpoint was able to be authorized correctly.

Switch#clear access-session int gig 1/0/24

Switch#show access-s int gig 1/0/24 de

            Interface:  GigabitEthernet1/0/24

          MAC Address:  a023.abcd.2f3c

         IPv6 Address:  Unknown

         IPv4 Address: 10.10.1.2

            User-Name:  A0-23-AB-CD-2F-3C

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

Periodic Acct timeout:  172800s (local), Remaining: 172744s

       Session Uptime:  85s

    Common Session ID:  0AF23215000002D56352E1C5

      Acct Session ID:  0x00001F6E

               Handle:  0xC700000D

       Current Policy:  DOT1X-DEFAULT

 

Local Policies:

         OPEN DIR ACL:  Open-Dir-ACL

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Server Policies:

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Success

 

My c3pl policy has the following classes when MAB fails, in particular "authentication-restart 60":

<output omitted...>

40 class MAB_FAILED do-until-failure
  10 terminate mab
  20 authentication-restart 60
60 class always do-until-failure
  10 terminate dot1x
  20 terminate mab
  30 authentication-restart 60

<output omitted...>

 

So I was expecting this authentication restart will kick in after 60 seconds of getting into a failure state, but it never happened, and the endpoint got stuck. Am I missing something here?

0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎04-23-2021 05:34 PM

authorization auth-proxy ? what is you config here are you config HTTP proxy ?

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-02-2021 08:39 PM

Please make sure to use the latest or recommended IOS code for the NAD. If the issue persists, please engage Cisco TAC to log a bug.

Do also check the EOL announcement -- End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 2960X Product Family End of Sale 

0 Helpful
Customers Also Viewed These Support Documents