Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
5
Replies

[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

David Santos
Level 1
Level 1

‎12-15-2014 02:36 AM - edited ‎03-10-2019 10:16 PM

Hi everyone,

 

After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!

 

Let me show you what I have,

 


interface GigabitEthernet1/0/3
 description AP
 switchport trunk native vlan 999
 switchport mode trunk
 trust device cisco-phone
 authentication event fail action next-method
 authentication host-mode multi-host
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x max-req 4
 auto qos voip cisco-phone
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy

############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

 
 
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30

 


Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL


############################################# Different switch model - 2960 ##################################################

 

interface GigabitEthernet1/0/1
 description AP
 switchport trunk native vlan 999
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event fail action next-method
 authentication host-mode multi-host
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x max-req 4
 auto qos voip cisco-phone
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
 
 SW1#$cation sessions interface GigabitEthernet1/0/1
            Interface:  GigabitEthernet1/0/1
          MAC Address:  xxxx.xxxx.4a38
           IP Address:  172.18.1.170
            User-Name:  xx-xx-xx-xx-4A-38
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A18129D000060E39DAE8A8A
      Acct Session ID:  0x0000725D
               Handle:  0x0F00028C

Runnable methods list:
       Method   State
       mab      Authc Success

       
       Switch Ports Model              SW Version            SW Image                                                                                             
------ ----- -----              ----------            ----------                                                                                           
     1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
    
    
 
 SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30

 

Am I doing something wrong?

 

BR,

 

 

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎12-15-2014 03:07 AM

Hi David, 802.1x is not supported on trunk ports.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01111.html

I have played with it in the lab with different family Cisco switches and have gotten mixed results. Sometimes things appeared to work correctly but other times I have ran into weird issues that I could not fix and TAC won't troubleshoot since it is not a supported configuration. 

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

David Santos
Level 1
Level 1
In response to nspasov

‎12-15-2014 03:11 AM

Neno,

 

tnx for the wuick reply but I´m not doing VLAN assignment in that port. I know that the doc states that "The 802.1x authentication with VLAN assignment feature is not supported on trunk ports" but I just want to authenticate nothing more.

 

What do you think about this? Am I reading it wrong?

 

BR,

DS

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎12-16-2014 03:52 AM

The 802.1X protocol is not supported on Trunk port

0 Helpful

David Santos
Level 1
Level 1
In response to Venkatesh Attuluri

‎12-16-2014 04:18 AM

But I´m using MAB...

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to David Santos

‎12-18-2014 03:41 AM

I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 

Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 

Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 

 

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents