Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
4
Replies

MAB Issue: Auth Session Immediately Fails MAB Method

Go to solution
CDavidson21
Level 1
Level 1

‎06-14-2019 02:07 PM

Hi everyone,

 

I'm trying to configure MAB on an access port. The device is a kiosk of sorts, so I have no interest in dot1x, only the MAB component. I believe I have everything configured, but when I show authentication session interface g1/0/22 it immediately says the MAB method has failed, and then attempts dot1x.

 

LD200LDPSSW1(config-if)#shut
LD200LDPSSW1(config-if)#no shut
LD200LDPSSW1(config-if)#do show auth sess int g1/0/22
            Interface:  GigabitEthernet1/0/22
          MAC Address:  4439.c435.1eaa
           IP Address:  Unknown
            User-Name:  4439c4351eaa
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A01C8330000000D31CCD3AE
      Acct Session ID:  0x00000D82
               Handle:  0x5E00000D

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Running

My radius server shows no traffic from this switch, so I'm guessing the issue is with my config somewhere.

Current configuration : 12372 bytes
!
! Last configuration change at 07:24:24 PDT Fri May 24 2019 by 053166
! NVRAM config last updated at 07:24:25 PDT Fri May 24 2019 by 053166
!
version 12.2
no service pad
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 200SW1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxxxxxx
!
username abc secret 5 xxxxxxxxxxx
!
!
aaa new-model
!
!
aaa authentication fail-message ^Failed login. Try again.^
aaa authentication login Use-Radius group radius local
aaa authentication dot1x Use-Radius group radius
aaa authorization network Use-Radius group radius
aaa accounting update newinfo
aaa accounting dot1x Use-Radius start-stop group radius
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
ip subnet-zero
!
!

dot1x system-auth-control
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
!
! <OMITTED>
!
!
interface GigabitEthernet1/0/22
 description PUBLIC
 switchport access vlan 51
 switchport mode access
 switchport voice vlan 95
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 51
 authentication event server alive action reinitialize
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
!
! <OMITTED>
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format unformatted
radius-server dead-criteria time 10 tries 3
radius-server host 172.20.201.47 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!
line con 0
 login authentication Use-Radius
line vty 0 4
 access-class VTY-IN in
 login authentication Use-Radius
line vty 5 15
 access-class VTY-IN in
 login authentication Use-Radius
!
end

Any help would be greatly appreciated!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-16-2019 05:32 AM

I do not see the following command "aaa server radius dynamic-author"

 

And If you dont need dot1x for specific ports then remove the flexible authentication.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-15-2019 09:11 PM

Hi

Why didn't you use the default list for aaa commands for dot1x and network?
Normally it should work but try modifying them with the default list.

Also can you run the following commands and share the output:
- sh mab all
- debug authentication
- debug mab all



Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
CDavidson21
Level 1
Level 1
In response to Francesco Molino

‎06-17-2019 11:33 AM

Sorry, I don't understand what you mean by "the default list for aaa commands for dot1x and network"?

 

Is there a standardized config that I'm unaware of?

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-16-2019 05:32 AM

I do not see the following command "aaa server radius dynamic-author"

 

And If you dont need dot1x for specific ports then remove the flexible authentication.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ldanny

‎06-16-2019 01:46 PM - edited ‎06-17-2019 12:14 PM

Please look at the recommendations here as well. It includes a standard config

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents