cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
311
Views
0
Helpful
1
Replies
lni1
Beginner

MAB authentication failure

Dear Community,

 

We are doing a MAB POC as we speak to enhance our level of port security for exotic non-dot1x devices.

Our testdevice is a IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2).

When booting the device MAB authentication works 100% of time.

When doing a shut/no shut of the network port or removing/inserting the network cable, in most of the cases MAB authentication fails and there is no more mac address of the end device in the mac address table.

The only way to make things work again is a reboot of the device.

 

 interface FastEthernet1/1
description ## Tel + PC dot1x mab ##
switchport access vlan 666
switchport mode access
switchport voice vlan 667
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 43200
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 5
auto qos trust
no mdix auto
storm-control broadcast level 60.00
storm-control action shutdown
storm-control action trap
macro description MAB
ip dhcp snooping limit rate 10
ip dhcp snooping trust
end

 

In attach you can find 2 debug files (debug mab all & debug authentication all)

 

Kind regards,

Lieven Stubbe

Belgian railways

1 REPLY 1
Alex Pfeil
Rising star

Have you tried switching the authentication order to mab dot1x? Here is a configuration that we are currently using on some different switches. I removed a few things to focus on the 802.1x configuration. My review is based on recommended best practices on Cisco Community forum.

 

authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
 authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 3600
authentication timer inactivity 180
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10