06-14-2019 02:07 PM
Hi everyone,
I'm trying to configure MAB on an access port. The device is a kiosk of sorts, so I have no interest in dot1x, only the MAB component. I believe I have everything configured, but when I show authentication session interface g1/0/22 it immediately says the MAB method has failed, and then attempts dot1x.
LD200LDPSSW1(config-if)#shut LD200LDPSSW1(config-if)#no shut LD200LDPSSW1(config-if)#do show auth sess int g1/0/22 Interface: GigabitEthernet1/0/22 MAC Address: 4439.c435.1eaa IP Address: Unknown User-Name: 4439c4351eaa Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A01C8330000000D31CCD3AE Acct Session ID: 0x00000D82 Handle: 0x5E00000D Runnable methods list: Method State mab Failed over dot1x Running
My radius server shows no traffic from this switch, so I'm guessing the issue is with my config somewhere.
Current configuration : 12372 bytes ! ! Last configuration change at 07:24:24 PDT Fri May 24 2019 by 053166 ! NVRAM config last updated at 07:24:25 PDT Fri May 24 2019 by 053166 ! version 12.2 no service pad service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname 200SW1 ! boot-start-marker boot-end-marker ! logging buffered 52000 enable secret 5 xxxxxxxxxxx ! username abc secret 5 xxxxxxxxxxx ! ! aaa new-model ! ! aaa authentication fail-message ^Failed login. Try again.^ aaa authentication login Use-Radius group radius local aaa authentication dot1x Use-Radius group radius aaa authorization network Use-Radius group radius aaa accounting update newinfo aaa accounting dot1x Use-Radius start-stop group radius ! ! ! aaa session-id common clock timezone PST -8 clock summer-time PDT recurring switch 1 provision ws-c2960s-24ts-l authentication mac-move permit ip subnet-zero ! ! dot1x system-auth-control spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! ! ! <OMITTED> ! ! interface GigabitEthernet1/0/22 description PUBLIC switchport access vlan 51 switchport mode access switchport voice vlan 95 authentication event fail action next-method authentication event server dead action reinitialize vlan 51 authentication event server alive action reinitialize authentication order mab dot1x authentication priority mab dot1x authentication port-control auto mab dot1x pae authenticator spanning-tree portfast ! ! <OMITTED> ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format unformatted radius-server dead-criteria time 10 tries 3 radius-server host 172.20.201.47 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxx radius-server vsa send accounting radius-server vsa send authentication ! ! line con 0 login authentication Use-Radius line vty 0 4 access-class VTY-IN in login authentication Use-Radius line vty 5 15 access-class VTY-IN in login authentication Use-Radius ! end
Any help would be greatly appreciated!
Solved! Go to Solution.
06-16-2019 05:32 AM
I do not see the following command "aaa server radius dynamic-author"
And If you dont need dot1x for specific ports then remove the flexible authentication.
06-15-2019 09:11 PM
06-17-2019 11:33 AM
Sorry, I don't understand what you mean by "the default list for aaa commands for dot1x and network"?
Is there a standardized config that I'm unaware of?
06-16-2019 05:32 AM
I do not see the following command "aaa server radius dynamic-author"
And If you dont need dot1x for specific ports then remove the flexible authentication.
06-16-2019 01:46 PM - edited 06-17-2019 12:14 PM
Please look at the recommendations here as well. It includes a standard config
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: