Authentication result "no-response" of "mab".

Hi all

Another Ministry, another problem. Basically, we are trying to set up authentication based mab and if a client mac is not known, the port must be kept closed.

Configuration: WS-C2960-24TC-L with IOS 12.2 (55) SE1 authentication against freeRadius (2.1.10)

Excerpt from the running configuration

aaa new-model

    !

    aaa authentication dot1x default group radius

    aaa authorization network default group radius

    aaa accounting delay-start

    aaa accounting network default start-stop group radius

    !


dot1x system-auth-control

    !

    interface GigabitEthernet0/19

    switchport mode access

    switchport voice vlan 2

    authentication event fail retry 0 action authorize vlan 999

    authentication event server dead action authorize vlan 1

    authentication event no-response action authorize vlan 1

    authentication event server alive action reinitialize

    authentication host-mode multi-domain

    authentication port-control auto

    authentication violation restrict

    mab

    spanning-tree portfast

    !

    radius-server dead-criteria tries 1

    radius-server host 10.2.1.33 auth-port 1812 acct-port 1813

    radius-server timeout 10

    radius-server key 7 xxxxxxx

    radius-server vsa send accounting

    radius-server vsa send authentication

Now, if I connect to a laptop computer to the port Gi0/19 freeRadius sends a rejection, but the port gets allowed VLAN 1 (we also try to get the data on another virtual local network). VLAN 999 does not exist, I tried to run this configuration to the authentication event and the other vlan, but with the same result.

Debugging snippet (attached full debugging log)

001608: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Black Listed Mac Address 0026.5588.491c on vlan 1

    001609: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Received notification for 0026.5588.491c in domain DATA

    001610: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_mac_address_notify: MAC 0026.5588.491c on GigabitEthernet0/19(1) consumed by MDA. termi

    001611: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN

    001612: .Mar 11 07:59:19: %AUTHMGR-5-START: Starting 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001613: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN

    001614: .Mar 11 07:59:20: %MAB-5-FAIL: Authentication failed for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001615: .Mar 11 07:59:20: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001616: .Mar 11 07:59:20: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001617: .Mar 11 07:59:20: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001618: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: DATA

    001619: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Authentication failure due to non-responsi

    001620: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Activating guest VLAN 1

    001621: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) PM Actions: Setting vlan 1 in DATA domain

    001622: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Assigning dynamic vlan = 1 on port GigabitEthernet0/19

    001623: .Mar 11 07:59:20: %AUTHMGR-5-VLANASSIGN: VLAN 1 assigned to Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF


...


001631: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Authorizing vp DATA, isLast is 1

    001632: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_port_vp_authorized: GigabitEthernet0/19 vp authorized in domain DATA, isLast i

    001633: 4w1d: AUTH-FEAT-VOICE-EVENT (Gi0/19) No transit entry

    001634: .Mar 11 07:59:21: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF

    001635: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Checking data packet allowed, mac 0026.5588.491c, vlan

    001636: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS


...


001827: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_dot1x_sub_feature_permits_pkt: Guest VLAN is active and MAC 0026.5588.491c arrived on da

    001828: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_is_interested_in_mac: Not interested in unsecured 0026.5588.491c(1) on GigabitEthernet0/19

    001829: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS

So, we met with a large number of issues and unable to find the answers on the net that make sense.

Can we see what has gone wrong?

Thanks in advance,

Chris Schaatsbergen

Hello

This happens because you have invited vlan configured... You can remove the command 'action same no-response authentication allow vlan 1' to achieve the desired result. Comments vlan is intended to allow unknown users / mac on the network by means of vlan comments.

Let me know if it helps

Thank you

Mani

Tags: Cisco Security

Similar Questions

  • 802. 1 x authentication with Radius and win7 Mab

    Good afternoon!

    I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:

    21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
    (5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
    * Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
    . 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
    * April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
    ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
    02E002F3DAC
    * Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
    1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC

    If I type "see the authentication session", the corresponding output.

    Switch #show authentication sessions

    Interface MAC address method ID of Session of field status
    Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DAC

    The thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:

    1. I restarted my pc, the same behavior.

    2. I disabled and enabled my network controller, the same behavior.

    3. I rebooted the switch and re-configured. Same behavior.

    4. I tried with another PC configuration. Same behavior.

    5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.

    This is the configuration I have on my switch:

    AAA new-model
    Group AAA dot1x default authentication RADIUS
    Group AAA authorization network default RADIUS
    start-stop radius group AAA accounting dot1x default
    AAA - the id of the joint session

    !

    control-dot1x system-auth

    !

    Switch #show run gigabitEthernet int 1/11
    Building configuration...

    Current configuration: 128 bytes
    !
    interface GigabitEthernet1/11

    Cx-to-Host description
    switchport access vlan 223
    switchport mode access
    Auto control of the port of authentication
    MAB
    end

    This is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?

    I really hope that I am not the only one with this kind of behavior!

    Thank you for any assistance you can give me!

    Status: Authz success

    This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?

    As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.

    What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?

    IP address: unknown

    This means that the switch did not recognize the IP address of the host, probably due to the lack of

    analysis of IP device

    command. But it is not necessary for the plain MAB or dot1x.

  • Oracle Discoverer workbook results share responsibility for the 11g USER

    Hello

    I need to know if the result set for the discoverer workbook is part of the user or responsibilities. I don't want to see any fact workbook share the user or responsibilities, just result sets.

    I use eul5_batch_reports table to, but I don't know which column should I join now I get the workbook and workbook results together.

    Oracle Application EUL (11.5.10.2)
    End user layer 5.1.1.0.0.0
    End user layer Library - 11.1.1.3.0


    I am using the following query, but I'm not able to do the join with the NLY time table.

    Docs.doc_name, priv.ap_type, gd_doc_id, GP_APP_ID, AP_EU_ID, ebrpt.BR_ID, ebrpt.br_name SELECT DISTINCT,
    FND.responsibility_name,
    DECODE (usr.eu_role_flag, 0, 'user', 1, 'role') user_role,.
    usr.eu_username,
    CASE
    WHEN INSTR (usr.eu_username, "#") = 0 THEN
    usr.eu_username
    WHEN INSTR (usr.eu_username, "#") > 0
    AND INSTR (usr.eu_username, "#", 2) = 0 THEN
    (SELECT fu.user_name
    OF fu fnd_user
    WHERE fu.user_id = SUBSTR (usr.eu_username, 2, 5))
    ON THE OTHER
    (SELECT resp.responsibility_name
    Of fnd_responsibility_tl RESP.
    WHERE resp.responsibility_id =
    SUBSTR (usr.eu_username, 2, 5)
    AND language = 'En')
    END
    AS "share name / responsibility.
    DOCUMENTATION of eul5_documents,.
    eul5_access_privs priv,
    eul5_eul_users usr,
    DNF fnd_responsibility_tl,
    eul5_batch_reports ebrpt
    WHERE docs.doc_id = priv.gd_doc_id (+)
    AND priv.ap_eu_id = usr.eu_id (+)
    AND usr.eu_username =
    '#' || FND.responsibility_id (+) | '#' || FND.application_id (+)
    AND priv.ap_type = 'GD '.
    AND docs.doc_name LIKE '% XXTEST % '.
    AND ebrpt.br_name = docs.doc_name
    AND docs.doc_eu_id = ebrpt.br_eu_id

    Any help appreciated.
    Ed

    Hello
    Try this.

    Docs.doc_name, ebrpt.br_name SELECT DISTINCT,
    FND.responsibility_name,
    DECODE (usr.eu_role_flag, 0, 'user', 1, 'role') user_role,.
    usr.eu_username,
    CASE
    WHEN INSTR (usr.eu_username, "#") = 0 THEN
    usr.eu_username
    WHEN INSTR (usr.eu_username, "#") > 0
    AND INSTR (usr.eu_username, "#", 2) = 0 THEN
    (SELECT fu.user_name
    OF fu fnd_user
    WHERE fu.user_id = SUBSTR (usr.eu_username, 2, 5))
    ON THE OTHER
    (SELECT resp.responsibility_name
    Of fnd_responsibility_tl RESP.
    WHERE resp.responsibility_id =
    SUBSTR (usr.eu_username, 2, 5)
    AND language = 'En')
    END
    AS "share name / responsibility.
    DOCUMENTATION of euldiscadmin_us.eul5_documents,.
    euldiscadmin_us.eul5_access_privs priv,
    euldiscadmin_us.eul5_eul_users usr,
    DNF fnd_responsibility_tl,
    euldiscadmin_us.eul5_batch_reports ebrpt
    WHERE docs.doc_id = priv.gd_doc_id (+)
    AND priv.ap_eu_id = usr.eu_id (+)
    AND usr.eu_username =
    '#' || FND.responsibility_id (+) | '#' || FND.application_id (+)
    AND priv.ap_type = 'GD '.
    AND ebrpt.br_name = docs.doc_name
    AND docs.doc_eu_id = ebrpt.br_eu_id
    AND docs.doc_batch = 1
    AND EXISTS (SELECT ' X'
    Of
    EULDISCADMIN_US. EUL5_BR_RUNS brrun
    WHERE brrun. BRR_BR_ID = ebrpt.BR_ID)

    See you soon
    Asim

  • Session variable does not result in responses

    Hello

    I have a block of Session initialization and I the target assigned to a variable region_info variable. My SQL is this "select HS region. The user_info_table where UPPER (USER_ID) = UPPER(':USER'). It gives me the correct results in RPD.

    In the answers and the filter, I say region is equivalent to / in NQ_SESSION. Region_info up to this point it works fine.

    How to change to more than one line. I tried horizontal initialization and I am getting an error saying NQ_SESSION. Region_info has no value definition. How can I make it work if the initialization block returns multiple lines and in the responses, if I have them both in my filter?

    Help, please. Thank you.

    SSK,

    No, it will not work you cannot use meets fx

    http://download.Oracle.com/docs/CD/E12096_01/books/AdminTool/admintool_Variables5.html

    http://108obiee.blogspot.com/2009/10/using-multiple-values-row-wise-session.html

    Thank you
    Saichand.v

  • Filtering results in responses for set operations

    Hello

    I've created a report combining the results using set operations. I added the same filter field for each select included in the combined result. Then, I created dashboard page prompt to create a filter for this report. But the results not filtered. Other requests registered on the same page filtered, so that the filter works in general.
    My question is: is it possible to filter the combined result?

    Published by: scanbix on January 25, 2010 07:08

    Hello
    Each 'combined request' filtering must be filtered without probs, Im guessing you are referring to filter the complete set of results / final, but you may notice that you do not have access to columns on the definition of the outer query / wrapper in the criteria tab to add filters or "is invited" on all columns.

    Just checked on my example and your rights in your finds, the view filter returns "request has no filters" even when the guests of my dashboard are clearly alter the data returned by each part of the union.

  • Result of the "non-response" authentication

    Hi I have a simple config of the MDA

    interface FastEthernet0/4

    switchport access vlan 84

    switchport mode access

    switchport voice vlan 70

    IP access-group default_acl in

    the host-mode multi-auth authentication

    authentication order dot1x mab

    authentication priority dot1x mab

    Auto control of the port of authentication

    MAB

    dot1x EAP authenticator

    dot1x tx-timeout 3

    dot1x max-reauth-req 3

    Storm-control broadcasts 5.00

    stop storm-control action

    spanning tree portfast

    spanning tree enable bpduguard

    When I try to conect to this port - ONLY PHONE he successfully through mab Authentificates, when I try to connect PC only he authentificates successfully through dot1x, but when I try to connect to the PC via PHONE - phone authentificate successfully, but the PC - not on my server ISE log, I see only MAB trying for PC No tent dot1x.

    ARHIV-ROOM36(Config-if) #.

    29 jan 12:08:04.380: % LINK-5-CHANGED: Interface FastEthernet0/4, changed state down administratively

    29 jan 12:08:05.387: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, has changed state down

    ARHIV-ROOM36(config-if) #exi

    ARHIV-ROOM36 (config) #exi

    29 jan 12:08:06.536: % LINK-3-UPDOWN: Interface FastEthernet0/4, changed State to

    29 jan 12:08:07.543: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed State to

    ARHIV-ROOM36 (config) #exi

    ARHIV-ROOM36 #.

    29 jan 12:08:08.021: % SYS-5-CONFIG_I: configured from console to ask about vty0 (10.110.11.253)

    ARHIV-ROOM36 #.

    29 jan 12:08:09.170: % AUTHMGR-5-START: start "dot1x' for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID

    0A6E0A0400000077A11BEA81

    29 jan 12:08:10.076: % AUTHMGR-5-START: start "dot1x' for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSessionID

    0A6E0A0400000078A11BF97A

    ARHIV-ROOM36 #.

    29 jan 12:08:18.591: % DOT1X-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSession

    ID

    29 jan 12:08:18.591: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (0023.8b84.fa32)

    on the Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:08:18.591: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (0023.8b84.fa32) to the

    ditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:08:18.591: % AUTHMGR-5-START: start "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID 0

    A6E0A0400000077A11BEA81

    29 jan 12:08:18.608: % MAB-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID

    0A6E0A0400000077A11BEA81

    29 jan 12:08:18.608: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (0023.8b84.fa32) on

    Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:08:18.608: % AUTHMGR-7-FAILOVER: failover "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 Audi

    tSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:08:18.608: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (0023.8b84.fa32) on

    Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    ARHIV-ROOM36 #.

    29 jan 12:08:18.608: % AUTHMGR-5-FAIL: failed authorization for customer (0023.8b84.fa32) on the Interface Fa0/4 AuditSessio

    Nest 0A6E0A0400000077A11BEA81

    ARHIV-ROOM36 #.

    29 jan 12:08:21.678: % DOT1X-5-FAIL: failure of authentication for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSession

    ID

    29 jan 12:08:21.678: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (ccef.485c.f4b9)

    on the Interface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A

    29 jan 12:08:21.678: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (ccef.485c.f4b9) to the

    ditSessionID 0A6E0A0400000078A11BF97A

    29 jan 12:08:21.678: % AUTHMGR-5-START: start "mab" for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSessionID 0

    A6E0A0400000078A11BF97A

    29 jan 12:08:21.728: % MAB-5-SUCCESS: authentication successful for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSe

    ssionID 0A6E0A0400000078A11BF97A

    ARHIV-ROOM36 #.

    29 jan 12:08:21.728: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (ccef.485c.f4b9) on Int

    ERFACE Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A

    ARHIV-ROOM36 #.

    29 jan 12:08:22.718: % AUTHMGR-5-SUCCESS: authorization succeeded for client (ccef.485c.f4b9) on the Interface Fa0/4 Audit

    SessionID 0A6E0A0400000078A11BF97A

    ARHIV-ROOM36 #.

    29 jan 12:09:19.334: % AUTHMGR-5-START: start "dot1x' for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID

    0A6E0A0400000077A11BEA81

    ARHIV-ROOM36 #.

    29 jan 12:09:31.850: % DOT1X-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSession

    ID

    29 jan 12:09:31.850: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (0023.8b84.fa32)

    on the Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:09:31.850: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (0023.8b84.fa32) to the

    ditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:09:31.850: % AUTHMGR-5-START: start "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID 0

    A6E0A0400000077A11BEA81

    29 jan 12:09:31.866: % MAB-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID

    0A6E0A0400000077A11BEA81

    29 jan 12:09:31.866: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (0023.8b84.fa32) on

    Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:09:31.866: % AUTHMGR-7-FAILOVER: failover "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 Audi

    tSessionID 0A6E0A0400000077A11BEA81

    29 jan 12:09:31.866: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (0023.8b84.fa32) on

    Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81

    ARHIV-ROOM36 #.

    29 jan 12:09:31.866: % AUTHMGR-5-FAIL: failed authorization for customer (0023.8b84.fa32) on the Interface Fa0/4 AuditSessio

    Nest 0A6E0A0400000077A11BEA81

    ARHIV-ROOM36 # run HS | I have aaa

    AAA new-model

    AAA authentication login default local

    the AAA authentication enable default

    Group AAA dot1x default authentication RADIUS

    AAA authorization exec default local

    Group AAA authorization network default RADIUS

    start-stop radius group AAA accounting dot1x default

    AAA - the id of the joint session

    ARHIV-ROOM36 # run HS | I have RADIUS

    Group AAA dot1x default authentication RADIUS

    Group AAA authorization network default RADIUS

    start-stop radius group AAA accounting dot1x default

    RADIUS-server host 10.5.45.128 auth-port 1812 acct-port 1813 borders 7 xxxx

    RADIUS vsa server send accounting

    RADIUS vsa server send authentication

    It seems that, as the phone was not 802 traffic. 1 x as the switch was getting no response to his request. It is very interesting and good to know. Good job on finding a solution and shares the back!

    You should probably mark the thread as answered

  • authentication dot1x some problom

    Hello

    helleo

    WO have a problom to dot1x authentication,

    When I enter the configuration of configuration of dot1x in the interface, interface to authenticate user in State of err - disable

    Here is the configuration of the interface
    interface FastEthernet0/45

    switchport access vlan 21

    switchport mode access

    the host-mode multi-auth authentication

    Auto control of the port of authentication

    MAB eap

    dot1x EAP both

    dot1x quiet-period of waiting 3

    dot1x tx-period 5

    spanning tree portfast

    Or authenticating switch failed newspaper

    n 4 16:52:16.381: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.381: % AUTHMGR-5-START: start "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.423: % MAB-5-FAIL: failure of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.423: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.423: % AUTHMGR-7-FAILOVER: failover "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.423: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:52:16.423: % AUTHMGR-5-FAIL: failed authorization for customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:53:17.165: % AUTHMGR-5-START: start "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:53:21.376: % DOT1X-5-SUCCESS: authentication successful for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID

    June 4, 16:53:21.376: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:53:21.376: % DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: cannot add the address on Fa0/45 AuditSessionID 0A51F11D000000266273D33D 2c41.380f.f187

    June 4, 16:53:21.376: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/45, new address MAC (2c41.380f.f187) is considered. AuditSessionID 0A51F11D000000266273D33D

    June 4, 16:53:21.376: % PM-4-ERR_DISABLE: error in security breach detected on Fa0/45, putting the Fa0/45 in State of err - disable

    June 4, 16:53:22.400: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, state changed to surviver 4 16:52:16.381: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.381: % AUTHMGR-5-START: start "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.423: % MAB-5-FAIL: failure of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.423: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.423: % AUTHMGR-7-FAILOVER: failover "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.423: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:52:16.423: % AUTHMGR-5-FAIL: failed authorization for customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:53:17.165: % AUTHMGR-5-START: start "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:53:21.376: % DOT1X-5-SUCCESS: authentication successful for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID
    June 4, 16:53:21.376: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:53:21.376: % DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: cannot add the address on Fa0/45 AuditSessionID 0A51F11D000000266273D33D 2c41.380f.f187
    June 4, 16:53:21.376: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/45, new address MAC (2c41.380f.f187) is considered. AuditSessionID 0A51F11D000000266273D33D
    June 4, 16:53:21.376: % PM-4-ERR_DISABLE: error in security breach detected on Fa0/45, putting the Fa0/45 in State of err - disable
    June 4, 16:53:22.400: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state down

    Looks like your scenario made to match a known defect

    CSCti69845 voilation took place after the success of fashion multi-auth auth

    Workaround

    Configure a vlan VoIP Multi-auth port (or)

    Address / solved in paragraph 12.2 (55) SE01

    Jatin kone
    -Does the rate of useful messages-

  • Dot1x question: authentication MAB will never be failure or timeout

    Hello

    I have a problem when the switch will try to authenticate a device with MAB and it will never, or timeout.

    Here's the situation: where a device has 802 authentication. 1 x active but not a invalid parameters (or missing certificate).

    The switch will start dot1x for the customer and it will not be (a). He will switch to dot1x to MAB and... silence.

    I use a WS-C2960-24LT-L with IOS 15.0 (2) SE.

    Config:

     interface FastEthernet0/16 switchport access vlan 155 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto mab dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 1 spanning-tree portfast spanning-tree bpduguard enable end

    Newspapers:

     Dec 4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up Dec 4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up Dec 4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094

    SH int fa0/16 session auth

     Interface: FastEthernet0/16 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A011246000001197AA21094 Acct Session ID: 0x00000380 Handle: 0x1700011A Runnable methods list: Method State dot1x Failed over mab Running

    You can see above that is still running MAB but this device is not listed on the local store ID sequence or any where. If I run the command 'No mab', the switch will respond will be unavailable methods more and nothing more.

     Interface MAC Address Method Domain Status Session ID Fa0/16 (unknown) N/A UNKNOWN No Methods 0A011246000001197AA21094

    However, when I remove the command MAB; reset the port; He eventually fail to dot1x and move to restricted VLAN.

    It is this value by default design or the drop between the switch and the ACS authentication? Should I just use MAB where it is needed?

    Thank you in advance.

    On your configuration of the interface, I normally expect to see flex active thus auth:

     authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method

  • 802. 1 x authentication port does not

    I have trouble to know what is happening here. I'm trying to configure 802. 1 x port authentication based to assign customers to a VLAN. I inherited this mess and his for a long time I used it. I ran a wireshark on the radius of my server and I see no same package from my IP address switch when I plug into a port (I checked communication because pings come in my trace)

    Pass the info:

    SW-ConfB > sho worm

    Cisco IOS software, software of C2960C (C2960c405-UNIVERSALK9-M), Version 12.2 (55) EX3, VERSION of the SOFTWARE (fc2)

    Port config:

    interface FastEthernet0/11

    switchport mode access

    authentication event failure action allow vlan 900

    no response from the authentication event action allow vlan 900

    Auto control of the port of authentication

    dot1x EAP authenticator

    dot1x tx-period 5

    The RADIUS server info:

    key acct-port 1646 1645 auth-RADIUS-server host 10.0.1.52 port 802.1 x!

    A little confused why not package Radius comes even from the switch. Any tips?

    According to debug it, it seems that the supplicant connected on the switch port does not support the dot1x and MAB is not configured on the switchport so no method left to try and you got the vlan COMMENTS.

    3 Mar 04:37:47.963: % AUTHMGR-7-RESULT: authentication result 'no response' of 'dot1x' for the customer (d4be.d907.9637) on the Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
    * 04:37:47.963 3 Mar: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (d4be.d907.9637) on the Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
    * 04:37:47.963 3 Mar: AUTHMGR-7-NOMOREMETHODS %: exhausted all methods of authentication for the client

    At this point, the RADIUS is not even came into the picture. Please make sure that the end customer is configured correctly for the dot1x parameters.

    Kind regards

    Jatin kone

    * Make the rate of useful messages *.

  • 802. 1 x 3560catalyst multidomain nortel ip phone ntdu92

    Hi all!

    I have the catalyst 3560 ios 12.2 (55) SE5

    I need to allow PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - VLAN unauthorized with 256 Kbps INTERNET without any local resourses. IP phone allows by mab.

    #sh mac address-table interface fastEthernet 0/2

    212 001a.4b7b.0394 STATIC Fa0/2
    001B.bafb.7c1c 500 STATIC Drop

    #sh running-config interface fastEthernet 0/2

    interface FastEthernet0/2

    switchport access vlan 212
    switchport mode access
    switchport voice vlan 500

    authentication event failure action allow vlan 111
    no response from the authentication event action allow vlan 111
    multi-domain of host-mode authentication
    Auto control of the port of authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x quiet-period 5
    dot1x timeout server-timeout 5
    dot1x tx-time 10
    dot1x timeout supp-timeout 3
    dot1x max-reauth-req 3
    Storm-control broadcasts 7.00 3.00
    multicast storm-control level 15,00 10,00
    stop storm-control action
    No cdp enable
    spanning tree portfast
    spanning tree guard root
    end

    exploitation forest #sh

    Jul 29, 11:11:03: % DOT1X-5-FAIL: failure of authentication for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID
    Jul 29, 11:11:03: % AUTHMGR-7-RESULT: authentication result 'no response' of 'dot1x' for the customer (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: % AUTHMGR-5-START: start "mab" for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: MAB-5-SUCCESS percent: authentication successful for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/2, new address MAC (001b.bafb.7c1c) is considered. AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:03: % AUTHMGR-5-MACREPLACE: (001a.4b7b.0394) address on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
    Jul 29, 11:11:04: AUTHMGR-5-SUCCESS percent: authorization succeeded for customer (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:06: % AUTHMGR-5-START: start "dot1x' for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
    Jul 29, 11:11:06: % DOT1X-5-SUCCESS: authentication successful for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID
    Jul 29, 11:11:06: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
    Jul 29, 11:11:06: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/2, new address MAC (001a.4b7b.0394) is considered. AuditSessionID 0A32FF150000006125C52D87
    Jul 29, 11:11:06: % AUTHMGR-5-MACREPLACE: (001b.bafb.7c1c) address on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
    Jul 29, 11:11:07: AUTHMGR-5-SUCCESS percent: authorization succeeded for customer (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87

    What is necessary for phone collaboration PC + IP at the same time.
    Thanks for your help.

    Multi domain means that a device is in the field of DATA and the other, the IP phone is the area of the VOICE.  Your box of ISE sends the correct permission for the IP phone, either in the field of VOICE?

    Without this work, you'll just 2 features supporting in the same field of data which is not what you want.

  • MAB authentication fails on the port of multi-domain: dead result of authentication "server."

    Hi all

    First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.

    I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.

    Switch = 48-3560G IOS version 12.2 (55) SE1

    RADIUS = Freeradius (version 2.1.10)

    http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

    On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected

    The switch configuration:

    AAA new-model
    !
    Group AAA dot1x default authentication RADIUS
    Group AAA authorization network default RADIUS
    AAA accounting delay start
    start-stop radius group AAA accounting dot1x default
    start-stop radius group AAA accounting network default
    !

    interface GigabitEthernet0/29
    235 a description
    switchport access vlan 4
    switchport mode access
    switchport voice vlan 2
    load-interval 30
    bandwidth share SRR-queue 10 10 60 20
    queue-series 2
    priority queue
    action retry authentication event 0 failure allow vlan 7
    action of death event authentication server allow vlan 4
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    Auto control of the port of authentication
    restrict the authentication violation
    MAB
    Auto qos voip cisco-phone
    spanning tree portfast
    service-policy input AutoQoS-Police-CiscoPhone
    !

    dead-criteria 5 tent 5 times RADIUS server
    RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
    RADIUS server key 7 xxx
    RADIUS vsa server send accounting
    RADIUS vsa server send authentication

    Radius response: (for the full reply see attached RADIUS - response.txt)

    Sending acceptance of access to the port id 98 to 10.1.1.207 1645
    Cisco-AVPair = "Tunnel-Type = VLAN.
    Cisco-AVPair = "Tunnel-Medium-Type = 802.
    Cisco-AVPair = "Tunnel-private-Group-ID = 7.
    Cisco-AVPair = "Tunnel-preference.

    That's why access accept with assignment data VLAN

    Debugging on the switch :

    001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
    001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
    001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
    001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
    001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
    001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
    001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
    001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
    001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
    001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
    001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
    001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
    001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
    001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
    001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
    001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
    001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
    001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
    001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
    001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

    So RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.

    Help would be appreciated!

    Chris

    Hi Chris,

    In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
    http://Tools.Cisco.com/Squish/d1791

    or using the pair of cisco-av according to the link:
    http://Tools.Cisco.com/Squish/8Bd61

    As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
    Debug RADIUS
    Debug authentication of all the
    debug functionality of authentication all

    As a result the customer authentication event, also benefit from the following switch:
    display the interface authentication sessions

    I met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.

    When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:

    RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL

    So the 2nd link, with the changes:
    Cisco-avpair = "tunnel-type(#64) = VLAN (13).
    Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
    Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.

    If you still have a question, please include the output of debug/display above which will shed light on the problem.

    Thank you
    Alex

  • MAB Cisco phones successfully authenticated, VLANASSIGN assigned and failed authorization?

    I'm getting a strange behavior with a Catalyst switch and 802. 1 x. I use multi-auth, with a PC and phone Cisco patched in. The two devices to authenticate correctly, but only the PC is allowed depending on the switch logs.

    Switch terminal logs:

    Apr  7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID UnassignedApr  7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr  7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr  7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID Apr  7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr  7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082

    Config switch:

    

    aaa authentication dot1x default group RADIUS-DOT1Xaaa authorization network default group radius ip radius source-interface Loopback0 radius-server vsa send accountingradius-server vsa send authenticationdot1x system-auth-controldot1x guest-vlan supplicant
    


    Configuration interface:
    

    

    interface FastEthernet0/1 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out  authentication event fail action next-method authentication event server dead action authorize voice authentication event no-response action authorize vlan 999 authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto authentication periodic authentication violation protect mab mls qos trust cos auto qos voip trust  dot1x pae authenticator no mdix auto spanning-tree portfast
    



    NPS Windows Server policy:
    

    


    


    
and


    
			 
    Hello Jim,
    

    Try to use the domain host instead of multi-auth mode multiplayer.
    

    Kind regards
    

    Poonam Garg
    		   
    •  
            
           
  •  
		     
    First successful authorization ISE and then failure (MAB)
     
			 
    Hello
    

    ISE 1.1.1 and switch using 3650 12.2 (55) SE6.
    

    I have a client (computer) that needs to be authenticated with MAB and then to the port of the switch must be asigned a DACL and VLAN 90 list. I get
    

    'Authorization successful' but directly after it fails and I cannot understand why. ISE shows only the authentication successful under "Authenticaions Live".
    

    As you can se the rating below 802. 1 x fails, as it should be, and then pass the MAB, conditioned the VLAN and then fails:
    

    0002SWC002 (config) #int fa0/13
    

    0002SWC002(Config-if) #shut
    

    0002SWC002(Config-if) #.
    

    7 jan 13:26:59.640: % LINK-5-CHANGED: Interface FastEthernet0/13, changed state down administratively
    

    7 jan 13:27:00.647: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state down
    

    0002SWC002(Config-if) #no close
    

    0002SWC002(Config-if) #.
    

    7 jan 13:27:19.689: % LINK-3-UPDOWN: Interface FastEthernet0/13, changed State to down
    

    7 jan 13:27:22.063: % LINK-3-UPDOWN: Interface FastEthernet0/13, changed State to
    

    7 jan 13:27:22.776: % AUTHMGR-5-START: start "dot1x' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00000
    

    020D7C192D1
    

    7 jan 13:27:23.070: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed State to
    

    7 jan 13:27:51.054: % DOT1X-5-FAIL: failure of authentication for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID
    

    7 jan 13:27:51.054: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the customer (f04d.a223.8f43) on the Interface
    

    0/13 AuditSessionID 0A0005FC00000020D7C192D1
    

    7 jan 13:27:51.054: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0
    

    A0005FC00000020D7C192D1
    

    7 jan 13:27:51.054: % AUTHMGR-5-START: start "mab" for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC0000002
    

    0D7C192D1
    

    7 jan 13:27:51.088: % MAB-5-SUCCESS: authentication successful for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID A 0, 0005
    

    FC00000020D7C192D1
    

    7 jan 13:27:51.088: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
    

    7 jan 13:27:51.088: % AUTHMGR-5-VLANASSIGN: 90 VLAN assigned to the Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
    

    7 jan 13:27:51.096: % EMP-6-POLICY_REQ: IP 0.0.0.0. MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | EVENTS APPLY
    

    7 jan 13:27:51.096: % EMP-6-IPEVENT: IP 0.0.0.0. MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | EVENT
    

    IP-WAIT
    

    7 jan 13:27:51.255: % AUTHMGR-5-SUCCESS: authorization succeeded for client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID A 0, 00
    

    05FC00000020D7C192D1
    

    7 jan 13:27:52.027: % EMP-6-IPEVENT: IP 10.90.5.1 | MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | ACE double entry of IP-ASSIGNMENTReplacing EVENT for the host 10.90.5.1
    

    7 jan 13:27:52.036: % AUTHMGR-5-FAIL: failed authorization for customer (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00
    

    000020D7C192D1
    

    7 jan 13:27:52.036: % EMP-6-POLICY_REQ: IP 10.90.5.1 | MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | REMOVAL OF THE EVENT
    

    After that the process starts all over again.
    

    It is the switch port configuration:
    

    interface FastEthernet0/13
    

    Description data/VoIP
    

    switchport mode access
    

    switchport voice vlan 20
    

    switchport port-security
    

    security violation restrict port switchport
    

    IP access-group ACL-LEAVE in
    

    SRR-queue bandwidth share 1 70 25 5
    

    3 SRR-queue bandwidth shape 0 0 0
    

    priority queue
    

    authentication event fail following action method
    

    action of death event authentication server allow voice
    

    the host-mode multi-auth authentication
    

    open authentication
    

    authentication order dot1x mab
    

    authentication priority dot1x mab
    

    Auto control of the port of authentication
    

    MAB
    

    added mac-SNMP trap notification change
    

    no link-status of snmp trap
    

    dot1x EAP authenticator
    

    dot1x tx-time 10
    

    Storm-control broadcasts 2.00 1.00
    

    Storm-control level multicast 2.00 1.00
    

    stop storm-control action
    

    Storm-control action trap
    

    spanning tree portfast
    

    service-policy input ax-qos_butnet
    

    IP dhcp snooping limit 5 speed
    

    end
    

    Is there a problem with the client (computer) or ISE/switch?
    			 
    No problem of Phillip,
    

    Ultimately you want to leave the entries in the source for the dACL set with one, because the switch will replace those with the source ip address that he draws from the analysis of ip device.
    

    Thank you
    

    Tarik Admani
    * Please note the useful messages *.
    		   
    •  
            
           
  •  
		     
    MAB with Cisco Phone - authorization failed
     
			 
    Hello everyone,
    

    I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.
    

    switchport access vlan 500
    

    switchport mode access
    

    switchport nonegotiate
    

    switchport voice vlan 92
    

    no logging event link-status
    

    srr-queue bandwidth share 1 30 35 5
    

    priority-queue out
    

    authentication control-direction in
    

    authentication event server dead action authorize voice
    

    authentication host-mode multi-domain
    

    authentication port-control auto
    

    authentication periodic
    

    authentication timer reauthenticate 10800
    

    authentication timer inactivity 1800
    

    mab
    

    no snmp trap link-status
    

    mls qos trust device cisco-phone
    

    mls qos trust cos
    

    macro description mab
    

    auto qos voip cisco-phone
    

    storm-control broadcast level 5.00
    

    storm-control action shutdown
    

    spanning-tree portfast
    

    spanning-tree bpduguard enable
    

    service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
    

    

    I get the following RADIUS logging of the client authentication process.
    

    May  7 15:24:53.349: RADIUS:   4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79           [ M7G*p_y]
    

    May  7 15:24:53.349: RADIUS:  Vendor, Cisco       [26]  34
    

    May  7 15:24:53.349: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
    

    May  7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
    

    May  7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
    

    May  7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
    

    SER-02-SW01#clear authentication
    

    May  7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
    

    

    I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.
    

    Currently, I don't know where to look further, then maybe some of you can help me!
    			 
    Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.
    

    Your welcome
    

    Good day!
    

    Jatin kone
    

    -Does the rate of useful messages-
    		   
    •  
            
           
  •  
		     
    MAB DEVICES CONSUME MORE LICENSES
     
			 
    Dear team,
    

    We have the ISE servers with basic license. We use the ISE services only to the Dot1x for users authentication and authentication for Cisco IP Phone MAB and printers on the network. We are assigning VLAN dynamic for all devices. AFAIK, MAB will consume only BASE license but now, MAB devices consume more Cisco ISE license.
    

    We run ISE ver 2.0.0.306.
    

    Please advise if anyone had faced this problem before.
    

    Thank you best regards &,.
    

    JALEEL LAJAN
    			 
    Ok.
    

    If you see 5 features contoured, ISE don't care on the point of view of license. There aren't any count in license OVER its use.
    

    On your screenshot, you use a group of the printer which is a child of Registereddevices. I think you use this group on the rules of the ISE, all authentication/authorization, passing by this rule that MORE license.
    

    You must create another group with no parent group and you'll never SEE license counters.
    

    Hope this is clear.
    

    PS: Please do not forget to rate and score as good response if this solves your problem
    		   
    •  
          
 
         
 
        
 
		
 
          
Maybe you are looking for