Authentication result "no-response" of "mab".
Hi all
Another Ministry, another problem. Basically, we are trying to set up authentication based mab and if a client mac is not known, the port must be kept closed.
Configuration: WS-C2960-24TC-L with IOS 12.2 (55) SE1 authentication against freeRadius (2.1.10)
Excerpt from the running configuration
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting network default start-stop group radius
!dot1x system-auth-control
!
interface GigabitEthernet0/19
switchport mode access
switchport voice vlan 2
authentication event fail retry 0 action authorize vlan 999
authentication event server dead action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
spanning-tree portfast
!
radius-server dead-criteria tries 1
radius-server host 10.2.1.33 auth-port 1812 acct-port 1813
radius-server timeout 10
radius-server key 7 xxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
Now, if I connect to a laptop computer to the port Gi0/19 freeRadius sends a rejection, but the port gets allowed VLAN 1 (we also try to get the data on another virtual local network). VLAN 999 does not exist, I tried to run this configuration to the authentication event and the other vlan, but with the same result.
Debugging snippet (attached full debugging log)
001608: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Black Listed Mac Address 0026.5588.491c on vlan 1
001609: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Received notification for 0026.5588.491c in domain DATA
001610: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_mac_address_notify: MAC 0026.5588.491c on GigabitEthernet0/19(1) consumed by MDA. termi
001611: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
001612: .Mar 11 07:59:19: %AUTHMGR-5-START: Starting 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001613: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: UNKNOWN
001614: .Mar 11 07:59:20: %MAB-5-FAIL: Authentication failed for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001615: .Mar 11 07:59:20: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001616: .Mar 11 07:59:20: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001617: .Mar 11 07:59:20: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0026.5588.491c) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001618: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Get domain: DATA
001619: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Authentication failure due to non-responsi
001620: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Activating guest VLAN 1
001621: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) PM Actions: Setting vlan 1 in DATA domain
001622: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Assigning dynamic vlan = 1 on port GigabitEthernet0/19
001623: .Mar 11 07:59:20: %AUTHMGR-5-VLANASSIGN: VLAN 1 assigned to Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF...
001631: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) Authorizing vp DATA, isLast is 1
001632: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) dot1x_switch_port_vp_authorized: GigabitEthernet0/19 vp authorized in domain DATA, isLast i
001633: 4w1d: AUTH-FEAT-VOICE-EVENT (Gi0/19) No transit entry
001634: .Mar 11 07:59:21: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Gi0/19 AuditSessionID 0A0201D20000000B9A5DADAF
001635: 4w1d: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/19) Checking data packet allowed, mac 0026.5588.491c, vlan
001636: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS...
001827: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_dot1x_sub_feature_permits_pkt: Guest VLAN is active and MAC 0026.5588.491c arrived on da
001828: 4w1d: AUTH-FEAT-MDA-EVENT (Gi0/19) dot1x_switch_mda_is_interested_in_mac: Not interested in unsecured 0026.5588.491c(1) on GigabitEthernet0/19
001829: 4w1d: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/19) Overriding host_mode, forcing to MULTI_HOS
So, we met with a large number of issues and unable to find the answers on the net that make sense.
Can we see what has gone wrong?
Thanks in advance,
Chris Schaatsbergen
Hello
This happens because you have invited vlan configured... You can remove the command 'action same no-response authentication allow vlan 1' to achieve the desired result. Comments vlan is intended to allow unknown users / mac on the network by means of vlan comments.
Let me know if it helps
Thank you
Mani
Tags: Cisco Security
Similar Questions
-
802. 1 x authentication with Radius and win7 Mab
Good afternoon!
I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:
21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
(5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
. 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
02E002F3DAC
* Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DACIf I type "see the authentication session", the corresponding output.
Switch #show authentication sessions
Interface MAC address method ID of Session of field status
Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DACThe thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:
1. I restarted my pc, the same behavior.
2. I disabled and enabled my network controller, the same behavior.
3. I rebooted the switch and re-configured. Same behavior.
4. I tried with another PC configuration. Same behavior.
5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.
This is the configuration I have on my switch:
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
AAA - the id of the joint session!
control-dot1x system-auth
!
Switch #show run gigabitEthernet int 1/11
Building configuration...Current configuration: 128 bytes
!
interface GigabitEthernet1/11Cx-to-Host description
switchport access vlan 223
switchport mode access
Auto control of the port of authentication
MAB
endThis is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?
I really hope that I am not the only one with this kind of behavior!
Thank you for any assistance you can give me!
Status: Authz success
This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?
As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.
What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?
IP address: unknown
This means that the switch did not recognize the IP address of the host, probably due to the lack of
analysis of IP device
command. But it is not necessary for the plain MAB or dot1x.
-
Oracle Discoverer workbook results share responsibility for the 11g USER
Hello
I need to know if the result set for the discoverer workbook is part of the user or responsibilities. I don't want to see any fact workbook share the user or responsibilities, just result sets.
I use eul5_batch_reports table to, but I don't know which column should I join now I get the workbook and workbook results together.
Oracle Application EUL (11.5.10.2)
End user layer 5.1.1.0.0.0
End user layer Library - 11.1.1.3.0
I am using the following query, but I'm not able to do the join with the NLY time table.
Docs.doc_name, priv.ap_type, gd_doc_id, GP_APP_ID, AP_EU_ID, ebrpt.BR_ID, ebrpt.br_name SELECT DISTINCT,
FND.responsibility_name,
DECODE (usr.eu_role_flag, 0, 'user', 1, 'role') user_role,.
usr.eu_username,
CASE
WHEN INSTR (usr.eu_username, "#") = 0 THEN
usr.eu_username
WHEN INSTR (usr.eu_username, "#") > 0
AND INSTR (usr.eu_username, "#", 2) = 0 THEN
(SELECT fu.user_name
OF fu fnd_user
WHERE fu.user_id = SUBSTR (usr.eu_username, 2, 5))
ON THE OTHER
(SELECT resp.responsibility_name
Of fnd_responsibility_tl RESP.
WHERE resp.responsibility_id =
SUBSTR (usr.eu_username, 2, 5)
AND language = 'En')
END
AS "share name / responsibility.
DOCUMENTATION of eul5_documents,.
eul5_access_privs priv,
eul5_eul_users usr,
DNF fnd_responsibility_tl,
eul5_batch_reports ebrpt
WHERE docs.doc_id = priv.gd_doc_id (+)
AND priv.ap_eu_id = usr.eu_id (+)
AND usr.eu_username =
'#' || FND.responsibility_id (+) | '#' || FND.application_id (+)
AND priv.ap_type = 'GD '.
AND docs.doc_name LIKE '% XXTEST % '.
AND ebrpt.br_name = docs.doc_name
AND docs.doc_eu_id = ebrpt.br_eu_id
Any help appreciated.
EdHello
Try this.Docs.doc_name, ebrpt.br_name SELECT DISTINCT,
FND.responsibility_name,
DECODE (usr.eu_role_flag, 0, 'user', 1, 'role') user_role,.
usr.eu_username,
CASE
WHEN INSTR (usr.eu_username, "#") = 0 THEN
usr.eu_username
WHEN INSTR (usr.eu_username, "#") > 0
AND INSTR (usr.eu_username, "#", 2) = 0 THEN
(SELECT fu.user_name
OF fu fnd_user
WHERE fu.user_id = SUBSTR (usr.eu_username, 2, 5))
ON THE OTHER
(SELECT resp.responsibility_name
Of fnd_responsibility_tl RESP.
WHERE resp.responsibility_id =
SUBSTR (usr.eu_username, 2, 5)
AND language = 'En')
END
AS "share name / responsibility.
DOCUMENTATION of euldiscadmin_us.eul5_documents,.
euldiscadmin_us.eul5_access_privs priv,
euldiscadmin_us.eul5_eul_users usr,
DNF fnd_responsibility_tl,
euldiscadmin_us.eul5_batch_reports ebrpt
WHERE docs.doc_id = priv.gd_doc_id (+)
AND priv.ap_eu_id = usr.eu_id (+)
AND usr.eu_username =
'#' || FND.responsibility_id (+) | '#' || FND.application_id (+)
AND priv.ap_type = 'GD '.
AND ebrpt.br_name = docs.doc_name
AND docs.doc_eu_id = ebrpt.br_eu_id
AND docs.doc_batch = 1
AND EXISTS (SELECT ' X'
Of
EULDISCADMIN_US. EUL5_BR_RUNS brrun
WHERE brrun. BRR_BR_ID = ebrpt.BR_ID)See you soon
Asim -
Session variable does not result in responses
Hello
I have a block of Session initialization and I the target assigned to a variable region_info variable. My SQL is this "select HS region. The user_info_table where UPPER (USER_ID) = UPPER(':USER'). It gives me the correct results in RPD.
In the answers and the filter, I say region is equivalent to / in NQ_SESSION. Region_info up to this point it works fine.
How to change to more than one line. I tried horizontal initialization and I am getting an error saying NQ_SESSION. Region_info has no value definition. How can I make it work if the initialization block returns multiple lines and in the responses, if I have them both in my filter?
Help, please. Thank you.SSK,
No, it will not work you cannot use meets fx
http://download.Oracle.com/docs/CD/E12096_01/books/AdminTool/admintool_Variables5.html
http://108obiee.blogspot.com/2009/10/using-multiple-values-row-wise-session.html
Thank you
Saichand.v -
Filtering results in responses for set operations
Hello
I've created a report combining the results using set operations. I added the same filter field for each select included in the combined result. Then, I created dashboard page prompt to create a filter for this report. But the results not filtered. Other requests registered on the same page filtered, so that the filter works in general.
My question is: is it possible to filter the combined result?
Published by: scanbix on January 25, 2010 07:08Hello
Each 'combined request' filtering must be filtered without probs, Im guessing you are referring to filter the complete set of results / final, but you may notice that you do not have access to columns on the definition of the outer query / wrapper in the criteria tab to add filters or "is invited" on all columns.Just checked on my example and your rights in your finds, the view filter returns "request has no filters" even when the guests of my dashboard are clearly alter the data returned by each part of the union.
-
Result of the "non-response" authentication
Hi I have a simple config of the MDA
interface FastEthernet0/4
switchport access vlan 84
switchport mode access
switchport voice vlan 70
IP access-group default_acl in
the host-mode multi-auth authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
MAB
dot1x EAP authenticator
dot1x tx-timeout 3
dot1x max-reauth-req 3
Storm-control broadcasts 5.00
stop storm-control action
spanning tree portfast
spanning tree enable bpduguard
When I try to conect to this port - ONLY PHONE he successfully through mab Authentificates, when I try to connect PC only he authentificates successfully through dot1x, but when I try to connect to the PC via PHONE - phone authentificate successfully, but the PC - not on my server ISE log, I see only MAB trying for PC No tent dot1x.
ARHIV-ROOM36(Config-if) #.
29 jan 12:08:04.380: % LINK-5-CHANGED: Interface FastEthernet0/4, changed state down administratively
29 jan 12:08:05.387: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, has changed state down
ARHIV-ROOM36(config-if) #exi
ARHIV-ROOM36 (config) #exi
29 jan 12:08:06.536: % LINK-3-UPDOWN: Interface FastEthernet0/4, changed State to
29 jan 12:08:07.543: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed State to
ARHIV-ROOM36 (config) #exi
ARHIV-ROOM36 #.
29 jan 12:08:08.021: % SYS-5-CONFIG_I: configured from console to ask about vty0 (10.110.11.253)
ARHIV-ROOM36 #.
29 jan 12:08:09.170: % AUTHMGR-5-START: start "dot1x' for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
29 jan 12:08:10.076: % AUTHMGR-5-START: start "dot1x' for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSessionID
0A6E0A0400000078A11BF97A
ARHIV-ROOM36 #.
29 jan 12:08:18.591: % DOT1X-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSession
ID
29 jan 12:08:18.591: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (0023.8b84.fa32)
on the Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:08:18.591: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (0023.8b84.fa32) to the
ditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:08:18.591: % AUTHMGR-5-START: start "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
29 jan 12:08:18.608: % MAB-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
29 jan 12:08:18.608: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:08:18.608: % AUTHMGR-7-FAILOVER: failover "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
29 jan 12:08:18.608: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36 #.
29 jan 12:08:18.608: % AUTHMGR-5-FAIL: failed authorization for customer (0023.8b84.fa32) on the Interface Fa0/4 AuditSessio
Nest 0A6E0A0400000077A11BEA81
ARHIV-ROOM36 #.
29 jan 12:08:21.678: % DOT1X-5-FAIL: failure of authentication for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSession
ID
29 jan 12:08:21.678: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (ccef.485c.f4b9)
on the Interface Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
29 jan 12:08:21.678: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (ccef.485c.f4b9) to the
ditSessionID 0A6E0A0400000078A11BF97A
29 jan 12:08:21.678: % AUTHMGR-5-START: start "mab" for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSessionID 0
A6E0A0400000078A11BF97A
29 jan 12:08:21.728: % MAB-5-SUCCESS: authentication successful for the client (ccef.485c.f4b9) on the Interface Fa0/4 AuditSe
ssionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36 #.
29 jan 12:08:21.728: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (ccef.485c.f4b9) on Int
ERFACE Fa0/4 AuditSessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36 #.
29 jan 12:08:22.718: % AUTHMGR-5-SUCCESS: authorization succeeded for client (ccef.485c.f4b9) on the Interface Fa0/4 Audit
SessionID 0A6E0A0400000078A11BF97A
ARHIV-ROOM36 #.
29 jan 12:09:19.334: % AUTHMGR-5-START: start "dot1x' for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
ARHIV-ROOM36 #.
29 jan 12:09:31.850: % DOT1X-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSession
ID
29 jan 12:09:31.850: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the client (0023.8b84.fa32)
on the Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:09:31.850: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client on the Interface Fa0/4 (0023.8b84.fa32) to the
ditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:09:31.850: % AUTHMGR-5-START: start "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID 0
A6E0A0400000077A11BEA81
29 jan 12:09:31.866: % MAB-5-FAIL: failure of authentication for the client (0023.8b84.fa32) on the Interface Fa0/4 AuditSessionID
0A6E0A0400000077A11BEA81
29 jan 12:09:31.866: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
29 jan 12:09:31.866: % AUTHMGR-7-FAILOVER: failover "mab" for the client (0023.8b84.fa32) on the Interface Fa0/4 Audi
tSessionID 0A6E0A0400000077A11BEA81
29 jan 12:09:31.866: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (0023.8b84.fa32) on
Interface Fa0/4 AuditSessionID 0A6E0A0400000077A11BEA81
ARHIV-ROOM36 #.
29 jan 12:09:31.866: % AUTHMGR-5-FAIL: failed authorization for customer (0023.8b84.fa32) on the Interface Fa0/4 AuditSessio
Nest 0A6E0A0400000077A11BEA81
ARHIV-ROOM36 # run HS | I have aaa
AAA new-model
AAA authentication login default local
the AAA authentication enable default
Group AAA dot1x default authentication RADIUS
AAA authorization exec default local
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
AAA - the id of the joint session
ARHIV-ROOM36 # run HS | I have RADIUS
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
RADIUS-server host 10.5.45.128 auth-port 1812 acct-port 1813 borders 7 xxxx
RADIUS vsa server send accounting
RADIUS vsa server send authentication
It seems that, as the phone was not 802 traffic. 1 x as the switch was getting no response to his request. It is very interesting and good to know. Good job on finding a solution and shares the back!
You should probably mark the thread as answered
-
authentication dot1x some problom
Hello
helleo
WO have a problom to dot1x authentication,
When I enter the configuration of configuration of dot1x in the interface, interface to authenticate user in State of err - disable
Here is the configuration of the interface
interface FastEthernet0/45switchport access vlan 21
switchport mode access
the host-mode multi-auth authentication
Auto control of the port of authentication
MAB eap
dot1x EAP both
dot1x quiet-period of waiting 3
dot1x tx-period 5
spanning tree portfast
Or authenticating switch failed newspaper
n 4 16:52:16.381: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.381: % AUTHMGR-5-START: start "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % MAB-5-FAIL: failure of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-FAILOVER: failover "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-5-FAIL: failed authorization for customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:17.165: % AUTHMGR-5-START: start "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % DOT1X-5-SUCCESS: authentication successful for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID
June 4, 16:53:21.376: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: cannot add the address on Fa0/45 AuditSessionID 0A51F11D000000266273D33D 2c41.380f.f187
June 4, 16:53:21.376: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/45, new address MAC (2c41.380f.f187) is considered. AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % PM-4-ERR_DISABLE: error in security breach detected on Fa0/45, putting the Fa0/45 in State of err - disable
June 4, 16:53:22.400: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, state changed to surviver 4 16:52:16.381: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.381: % AUTHMGR-5-START: start "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % MAB-5-FAIL: failure of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-RESULT: authentication result 'no response' of 'mab' for the customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-FAILOVER: failover "mab" for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-7-NOMOREMETHODS: exhausted all methods of authentication for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:52:16.423: % AUTHMGR-5-FAIL: failed authorization for customer (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:17.165: % AUTHMGR-5-START: start "dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % DOT1X-5-SUCCESS: authentication successful for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID
June 4, 16:53:21.376: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (2c41.380f.f187) on the Interface Fa0/45 AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: cannot add the address on Fa0/45 AuditSessionID 0A51F11D000000266273D33D 2c41.380f.f187
June 4, 16:53:21.376: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/45, new address MAC (2c41.380f.f187) is considered. AuditSessionID 0A51F11D000000266273D33D
June 4, 16:53:21.376: % PM-4-ERR_DISABLE: error in security breach detected on Fa0/45, putting the Fa0/45 in State of err - disable
June 4, 16:53:22.400: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state downLooks like your scenario made to match a known defect
CSCti69845 voilation took place after the success of fashion multi-auth auth
Workaround
Configure a vlan VoIP Multi-auth port (or)
Address / solved in paragraph 12.2 (55) SE01
Jatin kone
-Does the rate of useful messages- -
Dot1x question: authentication MAB will never be failure or timeout
Hello
I have a problem when the switch will try to authenticate a device with MAB and it will never, or timeout.
Here's the situation: where a device has 802 authentication. 1 x active but not a invalid parameters (or missing certificate).
The switch will start dot1x for the customer and it will not be (a). He will switch to dot1x to MAB and... silence.
I use a WS-C2960-24LT-L with IOS 15.0 (2) SE.
Config:
interface FastEthernet0/16 switchport access vlan 155 switchport mode access authentication event fail action authorize vlan 550 authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication port-control auto mab dot1x pae authenticator dot1x timeout quiet-period 3 dot1x timeout tx-period 1 spanning-tree portfast spanning-tree bpduguard enable end
Newspapers:
Dec 4 17:34:51.064 GMT: %LINK-3-UPDOWN: Interface FastEthernet0/16, changed state to up Dec 4 17:34:51.147 GMT: %AUTHMGR-5-START: Starting 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:52.070 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/16, changed state to up Dec 4 17:34:54.234 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:54.234 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %DOT1X-5-FAIL: Authentication failed for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:34:57.321 GMT: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (e89a.8fb0.67c3) on Interface Fa0/16 AuditSessionID 0A011246000001187AA1F62B Dec 4 17:35:00.601 GMT: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094 Dec 4 17:35:00.601 GMT: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/16 AuditSessionID 0A011246000001197AA21094
SH int fa0/16 session auth
Interface: FastEthernet0/16 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: single-host Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A011246000001197AA21094 Acct Session ID: 0x00000380 Handle: 0x1700011A Runnable methods list: Method State dot1x Failed over mab Running
You can see above that is still running MAB but this device is not listed on the local store ID sequence or any where. If I run the command 'No mab', the switch will respond will be unavailable methods more and nothing more.
Interface MAC Address Method Domain Status Session ID Fa0/16 (unknown) N/A UNKNOWN No Methods 0A011246000001197AA21094
However, when I remove the command MAB; reset the port; He eventually fail to dot1x and move to restricted VLAN.
It is this value by default design or the drop between the switch and the ACS authentication? Should I just use MAB where it is needed?
Thank you in advance.
On your configuration of the interface, I normally expect to see flex active thus auth:
authentication priority dot1x mab authentication order dot1x mab authentication event fail action next-method
-
802. 1 x authentication port does not
Pass the info:
SW-ConfB > sho worm
Cisco IOS software, software of C2960C (C2960c405-UNIVERSALK9-M), Version 12.2 (55) EX3, VERSION of the SOFTWARE (fc2)
Port config:
interface FastEthernet0/11
switchport mode access
authentication event failure action allow vlan 900
no response from the authentication event action allow vlan 900
Auto control of the port of authentication
dot1x EAP authenticator
dot1x tx-period 5
The RADIUS server info:
key acct-port 1646 1645 auth-RADIUS-server host 10.0.1.52 port 802.1 x!
A little confused why not package Radius comes even from the switch. Any tips?
According to debug it, it seems that the supplicant connected on the switch port does not support the dot1x and MAB is not configured on the switchport so no method left to try and you got the vlan COMMENTS.
3 Mar 04:37:47.963: % AUTHMGR-7-RESULT: authentication result 'no response' of 'dot1x' for the customer (d4be.d907.9637) on the Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
* 04:37:47.963 3 Mar: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (d4be.d907.9637) on the Interface Fa0/11 AuditSessionID 0A000103000000090B4AD0F6
* 04:37:47.963 3 Mar: AUTHMGR-7-NOMOREMETHODS %: exhausted all methods of authentication for the clientAt this point, the RADIUS is not even came into the picture. Please make sure that the end customer is configured correctly for the dot1x parameters.
Kind regards
Jatin kone
* Make the rate of useful messages *.
-
802. 1 x 3560catalyst multidomain nortel ip phone ntdu92
Hi all!
I have the catalyst 3560 ios 12.2 (55) SE5
I need to allow PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - VLAN unauthorized with 256 Kbps INTERNET without any local resourses. IP phone allows by mab.
#sh mac address-table interface fastEthernet 0/2
212 001a.4b7b.0394 STATIC Fa0/2
001B.bafb.7c1c 500 STATIC Drop#sh running-config interface fastEthernet 0/2
interface FastEthernet0/2
switchport access vlan 212
switchport mode access
switchport voice vlan 500authentication event failure action allow vlan 111
no response from the authentication event action allow vlan 111
multi-domain of host-mode authentication
Auto control of the port of authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x quiet-period 5
dot1x timeout server-timeout 5
dot1x tx-time 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
Storm-control broadcasts 7.00 3.00
multicast storm-control level 15,00 10,00
stop storm-control action
No cdp enable
spanning tree portfast
spanning tree guard root
endexploitation forest #sh
Jul 29, 11:11:03: % DOT1X-5-FAIL: failure of authentication for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID
Jul 29, 11:11:03: % AUTHMGR-7-RESULT: authentication result 'no response' of 'dot1x' for the customer (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: % AUTHMGR-5-START: start "mab" for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: MAB-5-SUCCESS percent: authentication successful for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/2, new address MAC (001b.bafb.7c1c) is considered. AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:03: % AUTHMGR-5-MACREPLACE: (001a.4b7b.0394) address on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29, 11:11:04: AUTHMGR-5-SUCCESS percent: authorization succeeded for customer (001b.bafb.7c1c) on the Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:06: % AUTHMGR-5-START: start "dot1x' for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29, 11:11:06: % DOT1X-5-SUCCESS: authentication successful for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID
Jul 29, 11:11:06: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'dot1x' for the client (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29, 11:11:06: % AUTHMGR-5-SECURITY_VIOLATION: security breach on interface FastEthernet0/2, new address MAC (001a.4b7b.0394) is considered. AuditSessionID 0A32FF150000006125C52D87
Jul 29, 11:11:06: % AUTHMGR-5-MACREPLACE: (001b.bafb.7c1c) address on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29, 11:11:07: AUTHMGR-5-SUCCESS percent: authorization succeeded for customer (001a.4b7b.0394) on the Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87What is necessary for phone collaboration PC + IP at the same time.Thanks for your help.Multi domain means that a device is in the field of DATA and the other, the IP phone is the area of the VOICE. Your box of ISE sends the correct permission for the IP phone, either in the field of VOICE?
Without this work, you'll just 2 features supporting in the same field of data which is not what you want.
-
Hi all
First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.
I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.
Switch = 48-3560G IOS version 12.2 (55) SE1
RADIUS = Freeradius (version 2.1.10)
On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected
The switch configuration:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authenticationRadius response: (for the full reply see attached RADIUS - response.txt)
Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.That's why access accept with assignment data VLAN
Debugging on the switch :
001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4ACSo RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.
Help would be appreciated!
Chris
Hi Chris,
In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication allAs a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessionsI met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.
When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:
RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL
So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.If you still have a question, please include the output of debug/display above which will shed light on the problem.
Thank you
Alex -
I'm getting a strange behavior with a Catalyst switch and 802. 1 x. I use multi-auth, with a PC and phone Cisco patched in. The two devices to authenticate correctly, but only the PC is allowed depending on the switch logs.
Switch terminal logs:
Apr 7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID UnassignedApr 7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID Apr 7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Config switch:
aaa authentication dot1x default group RADIUS-DOT1Xaaa authorization network default group radius ip radius source-interface Loopback0 radius-server vsa send accountingradius-server vsa send authenticationdot1x system-auth-controldot1x guest-vlan supplicant
Configuration interface:
interface FastEthernet0/1 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out authentication event fail action next-method authentication event server dead action authorize voice authentication event no-response action authorize vlan 999 authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto authentication periodic authentication violation protect mab mls qos trust cos auto qos voip trust dot1x pae authenticator no mdix auto spanning-tree portfast
NPS Windows Server policy:
and
Hello Jim,
Try to use the domain host instead of multi-auth mode multiplayer.
Kind regards
Poonam Garg
-
First successful authorization ISE and then failure (MAB)
Hello
ISE 1.1.1 and switch using 3650 12.2 (55) SE6.
I have a client (computer) that needs to be authenticated with MAB and then to the port of the switch must be asigned a DACL and VLAN 90 list. I get
'Authorization successful' but directly after it fails and I cannot understand why. ISE shows only the authentication successful under "Authenticaions Live".
As you can se the rating below 802. 1 x fails, as it should be, and then pass the MAB, conditioned the VLAN and then fails:
0002SWC002 (config) #int fa0/13
0002SWC002(Config-if) #shut
0002SWC002(Config-if) #.
7 jan 13:26:59.640: % LINK-5-CHANGED: Interface FastEthernet0/13, changed state down administratively
7 jan 13:27:00.647: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state down
0002SWC002(Config-if) #no close
0002SWC002(Config-if) #.
7 jan 13:27:19.689: % LINK-3-UPDOWN: Interface FastEthernet0/13, changed State to down
7 jan 13:27:22.063: % LINK-3-UPDOWN: Interface FastEthernet0/13, changed State to
7 jan 13:27:22.776: % AUTHMGR-5-START: start "dot1x' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
7 jan 13:27:23.070: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed State to
7 jan 13:27:51.054: % DOT1X-5-FAIL: failure of authentication for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID
7 jan 13:27:51.054: % AUTHMGR-7-RESULT: authentication result in 'no response' of 'dot1x' for the customer (f04d.a223.8f43) on the Interface
0/13 AuditSessionID 0A0005FC00000020D7C192D1
7 jan 13:27:51.054: % AUTHMGR-7-FAILOVER: failover "dot1x' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
7 jan 13:27:51.054: % AUTHMGR-5-START: start "mab" for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
7 jan 13:27:51.088: % MAB-5-SUCCESS: authentication successful for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID A 0, 0005
FC00000020D7C192D1
7 jan 13:27:51.088: % AUTHMGR-7-RESULT: result of the authentication 'success' of 'mab' for the client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
7 jan 13:27:51.088: % AUTHMGR-5-VLANASSIGN: 90 VLAN assigned to the Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
7 jan 13:27:51.096: % EMP-6-POLICY_REQ: IP 0.0.0.0. MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | EVENTS APPLY
7 jan 13:27:51.096: % EMP-6-IPEVENT: IP 0.0.0.0. MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | EVENT
IP-WAIT
7 jan 13:27:51.255: % AUTHMGR-5-SUCCESS: authorization succeeded for client (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID A 0, 00
05FC00000020D7C192D1
7 jan 13:27:52.027: % EMP-6-IPEVENT: IP 10.90.5.1 | MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | ACE double entry of IP-ASSIGNMENTReplacing EVENT for the host 10.90.5.1
7 jan 13:27:52.036: % AUTHMGR-5-FAIL: failed authorization for customer (f04d.a223.8f43) on the Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
7 jan 13:27:52.036: % EMP-6-POLICY_REQ: IP 10.90.5.1 | MAC f04d.a223.8f43 | AuditSessionID 0A0005FC00000020D7C192D1 | AUTHTYPE DOT1X | REMOVAL OF THE EVENT
After that the process starts all over again.
It is the switch port configuration:
interface FastEthernet0/13
Description data/VoIP
switchport mode access
switchport voice vlan 20
switchport port-security
security violation restrict port switchport
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 70 25 5
3 SRR-queue bandwidth shape 0 0 0
priority queue
authentication event fail following action method
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
MAB
added mac-SNMP trap notification change
no link-status of snmp trap
dot1x EAP authenticator
dot1x tx-time 10
Storm-control broadcasts 2.00 1.00
Storm-control level multicast 2.00 1.00
stop storm-control action
Storm-control action trap
spanning tree portfast
service-policy input ax-qos_butnet
IP dhcp snooping limit 5 speed
end
Is there a problem with the client (computer) or ISE/switch?
No problem of Phillip,
Ultimately you want to leave the entries in the source for the dACL set with one, because the switch will replace those with the source ip address that he draws from the analysis of ip device.
Thank you
Tarik Admani
* Please note the useful messages *. -
MAB with Cisco Phone - authorization failed
Hello everyone,
I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.
switchport access vlan 500
switchport mode access
switchport nonegotiate
switchport voice vlan 92
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
macro description mab
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
I get the following RADIUS logging of the client authentication process.
May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]
May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34
May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.
Currently, I don't know where to look further, then maybe some of you can help me!
Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.
Your welcome
Good day!
Jatin kone
-Does the rate of useful messages-
-
MAB DEVICES CONSUME MORE LICENSES
Dear team,
We have the ISE servers with basic license. We use the ISE services only to the Dot1x for users authentication and authentication for Cisco IP Phone MAB and printers on the network. We are assigning VLAN dynamic for all devices. AFAIK, MAB will consume only BASE license but now, MAB devices consume more Cisco ISE license.
We run ISE ver 2.0.0.306.
Please advise if anyone had faced this problem before.
Thank you best regards &,.
JALEEL LAJAN
Ok.
If you see 5 features contoured, ISE don't care on the point of view of license. There aren't any count in license OVER its use.
On your screenshot, you use a group of the printer which is a child of Registereddevices. I think you use this group on the rules of the ISE, all authentication/authorization, passing by this rule that MORE license.
You must create another group with no parent group and you'll never SEE license counters.
Hope this is clear.
PS: Please do not forget to rate and score as good response if this solves your problem
Maybe you are looking for
-
IPhone 6 - How will I know what apps are underway in the background?
IPhone 6 - How will I know what apps are underway in the background?
-
A couple of years ago I bought a Hewlett Packard PhotoSmart 215 digital camera. It came with a software disc with a program of type PhotoShop pretty cool and easy to use (on a separate disk). Over the years that I've updated the computers I always r
-
my windows calendar has stopped notification. Is there a software patch or download?
I'm running Vista 64
-
Drive hard bad - WHY DO IF I need TO PURCHASE Windows 7 NEW!
The desktop (Pavillion Slimline HP) isn't even 3 years. The hard drive takes a powder, now I have to replace it and buy Windows 7 - I remember when used to come up with a new computer operating system CD. I'm sure this topic has been beaten to death
-
I've have a radon hd4200 card. I use the more updated version of AMD vision control 2012.0704.122.388 this is me have fitted with a radon hd4200 card. I use the most current version of st avaiable. Windows Update continues to try to re - install t