Limitations
MAC Authentication Bypass (MAB):
- Switch does not fill in the Calling-Station-ID with the MAC Address, therefore ISE 1.0 cannot do a normal MAB.
- MAB was added to ISE 1.2 to support 3rd party devices like this one.
- Service-Type = Login, not Call-Check.
Troubleshooting
There are NO debugs on the Nortel. Not a single one. So you cannot debug AAA, RADIUS, and you will need to use a sniffer. When you use the sniffer, since there are no debugs, it is not possible to see what the Nortel switch is actually doing with the received RADIUS messages.
Tips
- Use Policy Sets...
- Nortel MAB will send MAC Address as Username, but does not send Calling-Station-ID. Therefore: you must check the box to use the username for host-lookup.
- Do NOT check the box to compare the password for the MAB - it will not work. Nortel sends the password as .<macaddress>. (example: .aabbccddeeff.) So therefore it is NOT the same format as the username which is AA:BB:CC:DD:EE:FF...
Example
4550T-PWR#show running-config
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4550T-PWR
! Software version = v5.6.1.052
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** CORE (Phase 1) ***
!
ntp server 172.25.73.1 enable authentication-key 1
ntp authentication-key 1 "cisco"
ntp interval 1440
ntp
radius server host 10.1.100.231 acct-enable
radius server host key "Cisco123"
radius server host 10.1.100.231 used-by eapol acct-enable
radius server host key "Cisco123" used-by eapol
radius server host 10.1.100.231 used-by non-eapol acct-enableradius dynamic-server client 10.1.100.231
radius dynamic-server client 10.1.100.231 port 1700
radius dynamic-server client 10.1.100.231 secret "Cisco123"
radius dynamic-server client 10.1.100.231 enable
radius dynamic-server client 10.1.100.231 process-change-of-auth-requests
radius dynamic-server client 10.1.100.231 process-disconnect-requests!
! *** SNMP ***
!
snmp-server notification-control ospfVirtIfStateChange
snmp-server notification-control ospfNbrStateChange
snmp-server notification-control ospfVirtNbrStateChange
snmp-server notification-control ospfIfConfigError
snmp-server notification-control ospfVirtIfConfigError
snmp-server notification-control ospfIfAuthFailure
snmp-server notification-control ospfVirtIfAuthFailure
snmp-server notification-control ospfIfStateChange
!
! *** IP ***
!
ip default-gateway 10.1.40.1
ip address switch 10.1.40.33
ip address netmask 255.255.255.0
ip address source configured-address
!
! *** IP Manager ***
!
!
! *** ASSET ID ***
!
!
! *** EAP ***
!
interface FastEthernet ALL
eapol port 1-2 status auto
exit
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
interface FastEthernet ALL
eapol multihost port 1-24 enable allow-non-eap-enable radius-non-eap-enable
eapol multihost port 25-50 allow-non-eap-enable radius-non-eap-enable
exitno eapol multihost non-eap-pwd-fmt ip-addr
no eapol multihost non-eap-pwd-fmt port-number!
! *** IPFIX ***
!
!
! *** System Logging ***
!
!
! *** STACK ***
!
!
! *** Custom Banner ***
!
!
! *** STP (Phase 1) ***
!
spanning-tree port-mode auto
!
! *** VLAN ***
!
vlan create 40,47-49 type port 1
vlan name 47 "Data"
vlan name 48 "voice"
vlan name 49 "guest"
vlan ports 49 tagging tagAll
vlan configcontrol flexible
vlan members 40 49
vlan members 47-49 1-49
vlan ports 1-48 pvid 47
vlan ports 49 pvid 40
no auto-pvid
!
! *** IGMP ***
!
!
! *** EAP Guest VLAN ***
!
eapol guest-vlan enable vid 49
!
! *** EAP Fail Open VLAN ***
!
eapol multihost fail-open-vlan enable
eapol multihost fail-open-vlan vid 47
!
! *** EAP Voip VLAN ***
!
eapol enable
!
! *** Port Mirroring ***
!
!
! *** 802.1ab ***
!interface FastEthernet ALL
no lldp port ALL config-notification
no lldp tx-tlv port ALL local-mgmt-addr port-desc sys-desc sys-name
no lldp tx-tlv port 1-48 dot3 mdi-power-support
no lldp tx-tlv port 1-48 med extendedPSE inventory location med-capabilities ne
twork-policy
no lldp tx-tlv port 49-50 med inventory location med-capabilities network-polic
y
exit
!
! *** 802.1ab vendor-specific Avaya TLVs config ***
!
!
! *** 802.1AB MED Voice Network Policies ***
!
!
! *** QOS ***
!
!
! *** RMON ***
!
!
! *** Interface ***
!
!
! *** Rate-Limit ***
!
!
! *** MLT (Phase 1) ***
!
!
! *** MAC-Based Security ***
!
!
! *** LACP ***
!
!
! *** ADAC ***
!
!
! *** STP (Phase 2) ***
!
spanning-tree port-mode normal
!
! *** VLAN Phase 2***
!
vlan mgmt 40
!
! *** MLT (Phase 2) ***
!
!
! *** CORE (Phase 2) ***
!
!
! *** PoE ***
!
!
! *** RTC ***
!
!
! *** Avaya Energy Saver ***
!
!
! *** AUR ***
!
!
! *** AAUR ***
!
!
! *** L3 ***
!
interface vlan 40
no ip routing
exit! --- ECMP ---
! No license for ECMP.
! Contact support@avaya.com to update Software license.
!
! *** IPV6 ***
!
!
! *** VLACP ***
!
!
! *** Brouter Port ***
!
!
! *** DHCP Relay ***
!
!
! *** L3 Protocols ***
!! --- IP Directed Broadcast ---
! --- Proxy ARP ---
! --- UDP Broadcast Forwarding ---
! --- VRRP ---
! --- Route Policies ---
! --- OSPF ---router ospf
router-id 138.39.108.0
exit! --- RIP ---
!
! *** DHCP SNOOPING ***
!
!
! *** ARP INSPECTION ***
!
!
! *** IP SOURCE GUARD ***
!
!
! *** STACK MONITOR ***
!
!
! *** SLPP-guard ***
!