Solved: MAB (or 802.1X) on C4510R+E doesn't start

rwesel · ‎11-29-2016

We have a cisco WS-C4510R+E Supervisor 8-E with IOS-XE Version 03.09.00.E and want to assign VLAN per MAC-Address. VLAN info should come from a Radius (FreeRadius).

Unfortunately I am stuck at the very beginning.

I have "aaa new-model" and a "radius server radtest ..." configured.

On the interface I activated 802.1x like this:

interface GigabitEthernet1/11
switchport access vlan 99
switchport mode access
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast edge
end
(the same behaviour is with "mab" instead of "dot1x pae authenticator" or with both enabled)

I started debugging:

debug dot1x all
debug access-session all
debug mab all

These are the messages when I plug in a laptop in Gi1/11:

Nov 29 15:40:05: dot1x-ev:[Gi1/11] Interface state changed to UP
Nov 29 15:40:05: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/11
Nov 29 15:40:05: AUTH-EVENT: [Gi1/11] Link UP
Nov 29 15:40:07: %LINK-3-UPDOWN: Interface GigabitEthernet1/11, changed state to up
Nov 29 15:40:07: AUTH-EVENT: [Gi1/11] Interface state changed to UP
Nov 29 15:40:07: AUTH-EVENT: [Gi1/11] Link UP
Nov 29 15:40:07: AUTH-EVENT: [Gi1/11] Link already UP - ignoring
Nov 29 15:40:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/11, changed state to up

The switch uses the new-style authentication mode, so as I understood I have to use IBNS2.0 with a service-policy. I already created one but it seems to me that not even the MAB/802.1X process starts.

Am I missing something? Some global setting?
Or does our platform or IOS not support this?

Thanks for your help
Stefan

andrewswanson · ‎02-10-2017

Hi

It doesn't look like you are applying your ibns 2 service policy to any interfaces based on the postings above. Below is an excerpt showing ibns 2 config for MAB (monitor mode) that I am using ok on 3650s running 03.06.05E

hth

Andy

ps use debug radius for monitoring

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update newinfo periodic 5
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
!
service-template MONITOR_MODE_SERVICE_TEMPLATE
!
dot1x system-auth-control
!
policy-map type control subscriber MONITOR_MODE_MAB_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 10
event authentication-failure match-first
10 class always do-until-failure
10 terminate mab
20 authentication-restart 60
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template MONITOR_MODE_SERVICE_TEMPLATE
!
interface GigabitEthernet1/11
switchport access vlan 99
switchport mode access
mab
access-session port-control auto
service-policy type control subscriber MONITOR_MODE_MAB_POLICY
!

View solution in original post

Rolf Fischer · ‎11-29-2016

Stefan,

Some global Setting?

Have a look at the Enabling 802.1X Authentication section of the c4500 IOS XE 3.9.0E Configuration Guide:

Switch(config)# dot1x system-auth-control
(...)

HTH

Rolf

rwesel · ‎11-29-2016

Rolf,

thanks for your reply.

But I just forgot to mention that I already did these settings.

as well as:

aaa authentication dot1x default group radius
aaa authorization network default group radius

Any ideas else ?

And any ideas how to debug or get detailed information?

I did already:

mab logging verbose
dot1x logging verbose

but there are no helpful messages.

thx

Stefan

rwesel · ‎12-05-2016

Strange!

I always tested with a linux laptop connecting to my test port. As stated above it seems the dot1x process doesn't start - I get only:

dot1x-ev:[Gi1/11] Interface state changed to UP
dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/11
AUTH-EVENT: [Gi1/11] Link UP
AUTH-EVENT: [Gi1/11] Link already UP - ignoring

When I connect a windows laptop now something is going on:

AUTH-EVENT: [Gi1/11] Link UP
AUTH-EVENT: [0022.XXXX.YYYY, Gi1/11] New LL MAC: 0022.XXXX.YYYY from Switch PI
AUTH-EVENT: [0022.XXXX.YYYY, Gi1/11] Assigned AAA ID 0x00000473
AUTH-EVENT: [0022.XXXX.YYYY, Gi1/11] Allocated new Auth Manager context (handle 0x8A000032)
AUTH-DETAIL: [0022.XXXX.YYYY, Gi1/11] Client 0022.XXXX.YYYY, Initialising Method Session Mgr IPDT Shim state to 'Not run'

...

My goal is to assign a VLAN to switchport regardless of the connected device (linux,windows, else ; supplicant or not ; ...) just depending on the devices MAC address. For my understanding I have to use MAB, right?

Any ideas how to achieve this ?

rwesel · ‎12-08-2016

Not any ideas ?

Can anybody confirm if I can use MAC authentication bypass on my platform at all?

This is my environment

My hardware is:
cisco WS-C4510R+E (P5040) processor (revision 2)
Sup 8-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP8-E

My Software is:
IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSALK9-M), Version 03.09.00.E RELEASE SOFTWARE (fc1)

"Old" interface commands don't work anymore, e.g.:
switch(config-if)#authentication port-control auto
%Command deprecated (authentication port-control auto ) - use access-session instead

switch(config-if)#authentication event fail action authorize vlan 13
Command deprecated (authentication event fail action authorize vlan 13) - use cpl config

Config mode is new style:
switch#authentication display config-mode
Current configuration mode is new-style

IBNS 2.0 Deployment Guide (from 2013) says:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html

Platform Support Matrix: Catalyst 4500E Sup8E + Policy Aware IBNS (New-Style) => No Support

I can't believe - legacy style doesn't work anymore - new style isn't supported - with the highest version of supervisor and newest IOS ???

I hope somebody can dissolve my confusion.

thx

Stefan

rwesel · ‎02-10-2017

Not any ideas ?

Can anybody confirm if I can use MAC authentication bypass on my platform at all?

andrewswanson · ‎02-10-2017

Hi

It doesn't look like you are applying your ibns 2 service policy to any interfaces based on the postings above. Below is an excerpt showing ibns 2 config for MAB (monitor mode) that I am using ok on 3650s running 03.06.05E

hth

Andy

ps use debug radius for monitoring

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update newinfo periodic 5
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
!
service-template MONITOR_MODE_SERVICE_TEMPLATE
!
dot1x system-auth-control
!
policy-map type control subscriber MONITOR_MODE_MAB_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 10
event authentication-failure match-first
10 class always do-until-failure
10 terminate mab
20 authentication-restart 60
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template MONITOR_MODE_SERVICE_TEMPLATE
!
interface GigabitEthernet1/11
switchport access vlan 99
switchport mode access
mab
access-session port-control auto
service-policy type control subscriber MONITOR_MODE_MAB_POLICY
!

rwesel · ‎02-13-2017

Hello Andy,

that did the trick.

Now "something is starting" - MAC is detected and a radius message is created.

I just have to investigate the rest of the chain, if it is working for window as well as for linux and maybe also on non cisco switches.

Thank you very much

Stefan

andrewswanson · ‎02-13-2017

You are welcome Stefan. Hope the deployment goes well.

Andy