Re: MAB on C9300 doesn't start with some equipment

eei-b · ‎08-22-2024

Dear,

MAB on C9300 doesn't start with some medical equipment.

With my PC it works fine if i put my mac-address on the ISE.

And Dot1x work fine also.

D-9300#sh run int gi 1/0/2
!
interface GigabitEthernet1/0/2
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
source template TM-Dot1x-tst
spanning-tree portfast
end

D-9300#sh derived-config int gi 1/0/2
!
interface GigabitEthernet1/0/2
description dot1x Port
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
end

D-9300# sh access-session brief
No sessions currently exist

When I change on the interface "switchport access vlan 70" to "switchport access vlan 505"

Vlan 70 is the rubish vlan, vlan 505 is the vlan where the equipment must go

Then It works fine

D-9300#sh derived-config int gi 1/0/2
!
interface GigabitEthernet1/0/2
description dot1x Port
switchport access vlan 505
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
end

D-9300# sh access-session brief
Interface MAC Address AuthC AuthZ Fg Uptime
-----------------------------------------------------------------------------
Gi1/0/2 00e0.4b83.f071 m:OK AZ: SA-D:V: X 14s

Key to Authentication Attributes:

RN - Running
ST - Stopped
OK - Authentication Success
CF - Credential Failure
AD - AAA Server Failure
NR - No Response
TO - Timeout
AR - AAA Not Ready

Key to Authorization Attributes:

AZ - Authorized, UZ - UnAuthorized
SA - Success Attributes, FA - Failed Attributes
- DACL, F: - Filterid / InACL, U: - URL ACL
V: - Vlan, I: - Inactivity Timer, O: - Open Dir

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

D-9300#

It seems that the equipment doesn't send any packet out, the equipment is unfortunately in IP fixe and not dhcp.

It seems that the equipment wait info from a central management equipment.

Is it something possible at network level to find a solution without to put static "switchport access vlan 505" in the configuration ?

Thanks

MHM Cisco World · ‎08-22-2024

Try use low-impact mode'

Make ISE retrun dACL instead of vlan

And config pre-auth ACL allow dhcp.

MHM

MHM Cisco World · ‎08-22-2024

Also do you config

Aaa authorization network.....

MHM

eei-b · ‎08-22-2024

aaa new-model
!
!
aaa authentication login default none
aaa authentication login noAAA local
aaa authentication login VTY group radius local
aaa authentication dot1x default group radius
aaa authorization exec default none
aaa authorization exec noAAA none
aaa authorization exec VTY group radius local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting identity default start-stop group radius
aaa accounting exec default start-stop group radius
!
!
aaa server radius dynamic-author
client IPISE1 server-key xxx
client IPISE2 server-key xxx
auth-type any
!
aaa session-id common

radius server ISE01
address ipv4 IPISE1 auth-port 1812 acct-port 1813
key xxx
!
radius server ISE02
address ipv4 IPISE2 auth-port 1812 acct-port 1813
key xxx

MHM Cisco World · ‎08-22-2024

When connect PC

Share

Show authentication session interface x/x details

Show mac address

Show authentication session

MHM

eei-b · ‎08-22-2024

ISE return :

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:505
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
DACL = PERMIT_ALL_TRAFFIC

MHM Cisco World · ‎08-22-2024

Share output of command above let me check

MHM

eei-b · ‎08-22-2024

D-9300#sh mac address-table | exc Gi1/0/48
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All 0180.c200.0021 STATIC CPU
All ffff.ffff.ffff STATIC CPU
100 4cec.0f65.acd1 STATIC Vl100
505 3448.ed68.c04d STATIC Gi1/0/2
Total Mac Addresses for this criterion: 1337
D-9300#sh mac address-table vl 505
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
505 0000.0c9f.f1f9 DYNAMIC Gi1/0/48
505 00e0.4b7d.669b DYNAMIC Gi1/0/48
505 286f.7f24.b47f DYNAMIC Gi1/0/48
505 286f.7f24.b57f DYNAMIC Gi1/0/48
505 3448.ed68.c04d STATIC Gi1/0/2
505 3890.a5de.035f DYNAMIC Gi1/0/48
Total Mac Addresses for this criterion: 6
D-9300#sh authentication session int gi 1/0/2 det
Interface: GigabitEthernet1/0/2
IIF-ID: 0x12F7F036
MAC Address: 3448.ed68.c04d
IPv6 Address: Unknown
IPv4 Address: 10.34.20.43
User-Name: 34-48-ED-68-C0-4D
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Acct update timeout: 300s (local), Remaining: 184s
Common Session ID: A006220A000000797A2706B1
Acct Session ID: 0x00000068
Handle: 0x1700006e
Current Policy: DOT1X-DEFAULT

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 505
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State
mab Authc Success

D-9300# sh authen session
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/2 3448.ed68.c04d mab DATA Auth A006220A000000797A2706B1

Session count = 1

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

D-9300#sh run int gi 1/0/2
Building configuration...

Current configuration : 238 bytes
!
interface GigabitEthernet1/0/2
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
source template TM-Dot1x-tst
spanning-tree portfast
end

D-9300#

DanielP211 · ‎08-22-2024

Hello!

First establish that dot1x is blocking the device? On what port is the device? What does the command show auth session int gigX/0/X detail display? Do you have dhcp snooping/ip arp inspection enabled? Do the logs display an messages?

BR

****Kindly rate all useful posts*****

eei-b · ‎08-22-2024

The device doesn't do 802.1x, that the reason his mac address is in the ISE encoded.

With the vlan configured on the port :

D-9300# sh run int gi 1/0/2
!
interface GigabitEthernet1/0/2
switchport access vlan 505
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
source template TM-Dot1x-tst
spanning-tree portfast
end

D-9300#sh authentication session int gi 1/0/2 det
Interface: GigabitEthernet1/0/2
IIF-ID: 0x173E655A
MAC Address: 00e0.4b83.f071
IPv6 Address: Unknown
IPv4 Address: 10.34.20.28
User-Name: 00-E0-4B-83-F0-71
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Acct update timeout: 300s (local), Remaining: 284s
Common Session ID: A006220A000000777A022DE8
Acct Session ID: 0x00000066
Handle: 0x6700006c
Current Policy: DOT1X-DEFAULT

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured

Server Policies:
Vlan Group: Vlan: 505
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

Method status list:
Method State
mab Authc Success

BUT when i Put vlan 70 in the port configuration (or nothing =>vlan 1)

D-9300#conf t
Enter configuration commands, one per line. End with CNTL/Z.
D-9300(config)#int gi 1/0/2
D-9300(config-if)#sw
D-9300(config-if)#switchport acc vl 70
D-9300(config-if)#sh
D-9300(config-if)#no sh
D-9300(config-if)#
Aug 22 14:44:48: %LINK-5-CHANGED: Interface GigabitEthernet1/0/2, changed state to administratively down
Aug 22 14:44:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
D-9300(config-if)#end
Aug 22 14:44:51: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
Aug 22 14:44:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up
D-9300# sh run int gi 1/0/2
!
interface GigabitEthernet1/0/2
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport voice vlan 124
device-tracking attach-policy deviceIP4ise
source template TM-Dot1x-tst
spanning-tree portfast
end

D-9300#sh authentication session int gi 1/0/2 det
No sessions match supplied criteria.

D-9300#

DanielP211 · ‎08-22-2024

Is the vlan 505 created correctly on the switch? show vlan | i 505? What radius messages does ISE display? What are your policy sets configuration on ise?

BR

****Kindly rate all useful posts*****

eei-b · ‎08-22-2024

YEs, it is because with my PC (result here above), all is working. I can ping the rest of the network also

Giuseppe Larosa · ‎08-22-2024

Hello @eei-b ,

probably in vlan 505 the device connected to the switch port can listen to some kind of messages sent by a server it may be multicast packets sent to a link local 224.0.0.x or with TTL=1 or a subnet broadcast or even a broadcast.

Try to use a SPAN session and to make a packet capture on the port when the port is in access VLAN 505.

You need to understand what happens in this vlan that does not happen in vlan 70.

Hope to help

Giuseppe

eei-b · ‎08-22-2024

Yes, you are right. In vlan 70 nothing happens because it is the default rubbish vlan. In vlan 505 the host responds to broadcast packet that he receives.

For security reasons, we can't put the switch port in vlan 505 directly because it is a hospital with free physical access.

But the provider of the medical equipment has finally find a solution to send packets out and that resolves my problem.

Thanks to all for your help. Regards

MHM Cisco World · ‎08-22-2024

that why I suggest in begging using low impact mode
low impact mode is excellent for silent device
make Medical device send packet sure can solve issue until the device need to reauth here the issue happened again, let see if I am right or not

anyway there is one thing I need to notice you
Session timeout: N/A <<- this session timeout meaning the device never reauth and this for PC is not good, add session-timeout to ISE make it 1800

MHM