AP Mab Authentication

jielfu · ‎03-06-2018

HI Expert,

I configured MAB on the switchport which connected to AP(model 3700 and Model 3800), ISE configured as AAA Radius server for authentication. My question as below

1. Switch showed authentication status as Unauth

3750X#show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/17 7c0e.ceea.60e4 mab DATA Unauth 0A4FF7EC0000031891F5A5F4
Gi1/0/8 002a.1034.afa8 mab DATA Unauth 0A4FF7EC0000031991F7354C

Session count = 2

2. Both APs configured as static IP, ISE got authentication passed log. but AP can't join WLC as expected and mab authentication status on switch keep Unauthen

May I know the reason or way how to fix this issue.

Thanks

Anthony

Ric Beeching · ‎03-06-2018

Could you paste the output of your AAA config? show run | i aaa|radius

and also the running config of the interface with MAB. Are you running LW mode APs or FlexConnect local switch?

Ric

-----------------------------
Please rate helpful / correct posts

jielfu · ‎03-06-2018

Hi Ric,

Thanks for the responce, please refer to below output, Ap 3700 is running in Local mode, and AP 3800 is running on Flexconnect Mode.

3750X#show run | in aaa| radius
aaa new-model
aaa group server radius WLtest
aaa authentication dot1x default group WLtest
aaa authorization network default group WLtest
aaa accounting dot1x default start-stop group WLtest
aaa session-id common

3750X#show run | be aaa group

aaa group server radius WLtest
server-private 10.79.247.10 key cisco

3750X#show run int gigabitEthernet 1/0/17

interface GigabitEthernet1/0/17

Description to 3700
switchport access vlan 112
switchport mode access
authentication host-mode multi-host
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end

3750X#show run int gigabitEthernet 1/0/8

interface GigabitEthernet1/0/8

Description to 3800
switchport access vlan 112
switchport mode access
authentication host-mode multi-host
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end

Ric Beeching · ‎03-06-2018

Thanks,

Can you add the following global command (check if it is there first or not):

conf t
dot1x system-auth-control
end

and then also do a debug aaa authentication and post the output as the AP tries to auth. Do you see any auths come through on the RADIUS server?

-----------------------------
Please rate helpful / correct posts

jielfu · ‎03-06-2018

Yes,

Command, dot1x system-auth-control configured in SW already

I attached the screenshot from Radius server, it showed authentication pass

Ric Beeching · ‎03-07-2018

Hm ok so it doesn't look to be an auth issue. Can you ping either of the APs? Can you see the APs discovering the WLC? Please show the outputs of these commands:

show ap join stats summary all

show sysinfo

On the APs, do you see logs of them discovering/trying to join the WLC? How are you helping them to find it, are they in the same subnet or using Option 43?

Thanks,

Ric

-----------------------------
Please rate helpful / correct posts

jielfu · ‎03-07-2018

Thanks,

I removed all of MAB commands line under the interface, then both APs can join WLC accordingly, so i isolate the issue from the wireless part, and focus on MAB.

Anthony

Ric Beeching · ‎03-07-2018

Odd!

Can you debug aaa authentication and aaa authorization as you plug the AP in / bounce the port?

Ric

-----------------------------
Please rate helpful / correct posts

jielfu · ‎03-07-2018

Thanks Ric,

There are few outputs I got below,

3750X#debug aaa authentication

3750X#debug aaa authorization

3750X#clear authentication sessions interface gigabitEthernet 1/0/17
3750X#
Mar 8 01:59:06.725: AAA/AUTHOR: auth_need : user= 'wifiadmin' ruser= '3750X'rem_addr= '10.79.96.123' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Mar 8 01:59:06.851: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Mar 8 01:59:06.859: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Mar 8 01:59:06.867: ERROR: AAA/ATTR: invalid attribute prefix: "ACS"
Mar 8 01:59:06.884: AAA/AUTHOR (0x0): Pick method list 'default'

Anthony

Ric Beeching · ‎03-08-2018

Thanks,

Just comparing to my switch. What software are you running on it? Have you tried a different switch? Can you also try authentication host-mode single-host on the 3700?

Thanks,
Ric

-----------------------------
Please rate helpful / correct posts

jielfu · ‎03-08-2018

Thanks,

SW software version as below,

Well, if all of the command lines we are talking about above working on your switch, I thought it should be software/hardware issue

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 30 WS-C3750X-24P 15.2(3)E C3750E-UNIVERSALK9-M

Anthony