06-23-2021 03:57 AM
Dear community,
I have configured MAB for following UseCases: If WiredMAB -> place it to a dynamic VLAN ID.
However, I noted on live logs that flows that primarily do authenticate successfully with EAP-TLS are failing back to MAB! And then MAB is also failing as a process. So in show authentication session int g1/0, I am getting: dot1x: failed; mab: failed.
Interface gets IP and since is authentication open, I am even being able to RDP to it. However, the ethernet NIC shows authentication failed.
Switch port configs are as following:
!
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server alive action reinitializes
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no authentication time inactivity 180
no authentication timer restart 3600
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!
Do you have any idea what can cause this issue of both 802.1x and MAB to fail. Having into consideration that at first 802.1x goes through the rules with success and authentication happens successfully. After tome short time, fails to MAB and then MAB fails also, leaving both authentication methods to fail?
Policy sets checks are configured as following:
AuthC: if wiredMAB -> check Internal endpoints
AuthC: if 802.1x -> EAP-TLS Certificate Profile
AuthZ: if User part of Domain Users & Protofol.equals to EAP-TLS -> Doman Users DACL
AuthZ: if wiredMAB and NAD group equals to NADGroupX -> dynamic vlan 15 profile
AuthZ: if wiredMAB and NAD group equals to NADGroupY -> deny any profile
Any thoughts or suggestions would be highly appreciated.
P.S I am also looking to find best approach on how to deal with Wired Domain and NonDomain MAB. Any best practice shared would be highly appreciated.
Thank you,
Laura
Solved! Go to Solution.
06-23-2021 07:16 AM
Hi @laurathaqi ,
please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide. and ISE Authentication and Authorization Policy Reference.
Also check at Operations > RADIUS > Live Logs > "Details Report Icon" the cause of the 802.1x fail.
Hope this helps !!!
06-23-2021 07:16 AM
Hi @laurathaqi ,
please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide. and ISE Authentication and Authorization Policy Reference.
Also check at Operations > RADIUS > Live Logs > "Details Report Icon" the cause of the 802.1x fail.
Hope this helps !!!
06-23-2021 09:05 PM
I had a similar issue on 2960X, it was because of the following bug:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvv93417
About mab for domain hosts you can leverage AD probe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide