I have some closet with relatively old 6509s that I am trying to configure for 802.1x and MAB.
For my test case, I am using a Cisco AP which is getting profiled from ISE and added to the MAB group.
ISE shows the authentication passing and returns Access-Accept. i am not sure what to add to the ISE response to make this work, or what else I may be missing.
The radius debug shows authentication passing, but authorization failing:
05:46:20: DOT1X-5-FAIL: Authentication failed for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-5-START: Starting 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AAA/AUTHEN/8021X (0000000C): Pick method list 'default'
05:46:20: RADIUS/ENCODE(0000000C):Orig. component type = DOT1X
05:46:20: RADIUS: AAA Unsupported Attr: audit-session-id [599] 24
05:46:20: RADIUS: 30 41 36 33 30 35 33 34 30 30 30 30 30 30 30 33 [0A63053400000003]
05:46:20: RADIUS: 30 31 33 37 39 43 [ 01379C]
05:46:20: RADIUS: AAA Unsupported Attr: interface [170] 19
05:46:20: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 32 [GigabitEthernet2]
05:46:20: RADIUS: 2F [ /]
05:46:20: RADIUS(0000000C): Config NAS IP: 10.99.5.52
05:46:20: RADIUS/ENCODE(0000000C): acct_session_id: 12
05:46:20: RADIUS(0000000C): sending
05:46:20: RADIUS(0000000C): Send Access-Request to 10.18.16.77:1812 id 1645/145, len 159
05:46:20: RADIUS: authenticator 6A 32 7F 9D AD 49 2B 27 - 51 64 C6 2A B4 2D 5B C5
05:46:20: RADIUS: User-Name [1] 14 "acf2c5a5357e"
05:46:20: RADIUS: User-Password [2] 18 *
05:46:20: RADIUS: Service-Type [6] 6 Call Check [10]
05:46:20: RADIUS: Framed-MTU [12] 6 1500
05:46:20: RADIUS: Called-Station-Id [30] 19 "00-06-F6-7F-47-DB"
05:46:20: RADIUS: Calling-Station-Id [31] 19 "AC-F2-C5-A5-35-7E"
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: 6F 23 BB DB 1D 0B AE FA 5C FC 85 13 F7 66 D9 8C [ o#\f]
05:46:20: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
05:46:20: RADIUS: NAS-Port [5] 6 50212
05:46:20: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet2/12"
05:46:20: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
05:46:20: RADIUS(0000000C): Started 3 sec timeout
05:46:20: RADIUS: Received from id 1645/145 10.18.16.77:1812, Access-Accept, len 291
05:46:20: RADIUS: authenticator 0C 5F CE 59 C6 A2 C0 76 - 5B D9 19 46 D7 37 E0 57
05:46:20: RADIUS: User-Name [1] 19 "AC-F2-C5-A5-35-7E"
05:46:20: RADIUS: Class [25] 87
05:46:20: RADIUS: 43 41 43 53 3A 30 61 31 32 31 30 34 64 6F 5A 69 [CACS:0a12104doZi]
05:46:20: RADIUS: 51 35 53 6B 75 4D 4E 76 53 43 4E 56 44 59 5A 69 [Q5SkuMNvSCNVDYZi]
05:46:20: RADIUS: 43 42 77 78 59 2F 35 5A 37 56 62 47 63 6D 64 49 [CBwxY/5Z7VbGcmdI]
05:46:20: RADIUS: 36 31 39 6E 39 4C 69 4D 3A 76 63 70 69 73 65 70 [619n9LiM:vcpisep]
05:46:20: RADIUS: 73 6E 2F 33 35 35 31 32 34 36 32 39 2F 33 30 31 [sn/355124629/301]
05:46:20: RADIUS: 33 39 30 31 36 [ 39016]
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: ED A3 7B 3C 4B B5 D9 A2 45 1B A8 83 94 C9 DA 2E [ {<KE.]
05:46:20: RADIUS: Vendor, Cisco [26] 30
05:46:20: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
05:46:20: RADIUS: Vendor, Cisco [26] 75
05:46:20: RADIUS: Cisco AVpair [1] 69 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
05:46:20: RADIUS: Vendor, Cisco [26] 42
05:46:20: RADIUS: Cisco AVpair [1] 36 "profile-name=Cisco-AP-Aironet-3600"
05:46:20: RADIUS(0000000C): Received from id 1645/145
05:46:20: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
05:46:20: MAB-5-SUCCESS: Authentication successful for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (acf2.c5a5.357e) on Interface Gi2/12
05:46:20: RADIUS/ENCODE(00000000):Orig. component type = INVALID
05:46:20: RADIUS(00000000): Config NAS IP: 10.99.5.52
05:46:20: RADIUS: AAA Unsupported Attr: service [333] 12
05:46:20: RADIUS: 69 70 5F 61 64 6D 69 73 73 69 [ ip_admissi]
05:46:20: RADIUS: AAA Unsupported Attr: event [334] 12
05:46:20: RADIUS: 61 63 6C 2D 64 6F 77 6E 6C 6F [ acl-downlo]
05:46:20: RADIUS(00000000): sending
05:46:20: RADIUS(00000000): Send Access-Request to 10.18.16.77:1812 id 1645/146, len 85
05:46:20: RADIUS: authenticator DF 3F E7 86 3D 71 46 0A - 0F 37 F1 2F 04 F9 BF A8
05:46:20: RADIUS: NAS-IP-Address [4] 6 10.99.5.52
05:46:20: RADIUS: User-Name [1] 41 "#ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3"
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: DE 98 C0 1F 6C B0 48 27 DF 90 A9 2A F1 2F 10 C1 [ lH'*/]
05:46:20: RADIUS(00000000): Started 3 sec timeout
05:46:20: RADIUS: Received from id 1645/146 10.18.16.77:1812, Access-Reject, len 38
05:46:20: RADIUS: authenticator C8 D2 7F 60 6F 90 37 7A - A3 28 A1 1B ED C7 E6 04
05:46:20: RADIUS: Message-Authenticato[80] 18
05:46:20: RADIUS: F1 17 89 6B DE BC 79 D1 94 2A FF 09 9A 75 CF 3E [ ky*u>]
05:46:20: RADIUS(00000000): Received from id 1645/146
05:46:20: AUTHMGR-5-FAIL: Authorization failed for client (acf2.c5a5.357e) on Interface Gi2/12
Thanks!