Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
15
Helpful
2
Replies

Wired MAB for Domain and Non Domain Users

Go to solution
laurathaqi
Level 3
Level 3

‎06-23-2021 03:57 AM

Dear community, 

 

I have configured MAB for following UseCases: If WiredMAB -> place it to a dynamic VLAN ID. 

However, I noted on live logs that flows that primarily do authenticate successfully with EAP-TLS are failing back to MAB! And then MAB is also failing as a process. So in show authentication session int g1/0, I am getting: dot1x: failed; mab: failed. 

Interface gets IP and since is authentication open, I am even being able to RDP to it. However, the ethernet NIC shows authentication failed.

 

Switch port configs are as following: 

!

switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server alive action reinitializes
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no authentication time inactivity 180
no authentication timer restart 3600
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

!

 

Do you have any idea what can cause this issue of both 802.1x and MAB to fail. Having into consideration that at first 802.1x goes through the rules with success and authentication happens successfully. After tome short time, fails to MAB and then MAB fails also, leaving both authentication methods to fail?

 

Policy sets checks are configured as following: 

 

AuthC: if wiredMAB -> check Internal endpoints

AuthC: if 802.1x -> EAP-TLS Certificate Profile

 

AuthZ: if User part of Domain Users & Protofol.equals to EAP-TLS -> Doman Users DACL

AuthZ: if wiredMAB and NAD group equals to NADGroupX -> dynamic vlan 15 profile

AuthZ: if wiredMAB and NAD group equals to NADGroupY -> deny any profile

 

Any thoughts or suggestions would be highly appreciated. 

 

P.S I am also looking to find best approach on how to deal with Wired Domain and NonDomain MAB. Any best practice shared would be highly appreciated. 

 

Thank you,

Laura 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎06-23-2021 07:16 AM

Hi @laurathaqi ,

 please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide. and ISE Authentication and Authorization Policy Reference

 Also check at Operations > RADIUS > Live Logs > "Details Report Icon" the cause of the 802.1x fail.

 

Hope this helps !!!

View solution in original post

2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎06-23-2021 07:16 AM

Hi @laurathaqi ,

 please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide. and ISE Authentication and Authorization Policy Reference

 Also check at Operations > RADIUS > Live Logs > "Details Report Icon" the cause of the 802.1x fail.

 

Hope this helps !!!

Go to solution
Massimo Baschieri
Level 3
Level 3

‎06-23-2021 09:05 PM

I had a similar issue on 2960X, it was because of the following bug:

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvv93417

About mab for domain hosts you can leverage AD probe

Customers Also Viewed These Support Documents