Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

MAB authentication failure

lni1
Level 1
Level 1

‎01-24-2019 04:58 AM - edited ‎03-08-2019 05:08 PM

Dear Community,

 

We are doing a MAB POC as we speak to enhance our level of port security for exotic non-dot1x devices.

Our testdevice is a IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2).

When booting the device MAB authentication works 100% of time.

When doing a shut/no shut of the network port or removing/inserting the network cable, in most of the cases MAB authentication fails and there is no more mac address of the end device in the mac address table.

The only way to make things work again is a reboot of the device.

 

 interface FastEthernet1/1
description ## Tel + PC dot1x mab ##
switchport access vlan 666
switchport mode access
switchport voice vlan 667
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

 

In attach you can find 2 debug files (debug mab all & debug authentication all)

 

Kind regards,

Lieven Stubbe

Belgian railways

Labels:
Preview file
33 KB
Preview file
3 KB
0 Helpful
1 Reply 1

Alex Pfeil
Level 7
Level 7

‎01-24-2019 05:26 AM

Have you tried switching the authentication order to mab dot1x? Here is a configuration that we are currently using on some different switches. I removed a few things to focus on the 802.1x configuration. My review is based on recommended best practices on Cisco Community forum.

 

authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
 authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 3600
authentication timer inactivity 180
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card