MAB Cisco phones successfully authenticated, VLANASSIGN assigned and failed authorization?
I'm getting a strange behavior with a Catalyst switch and 802. 1 x. I use multi-auth, with a PC and phone Cisco patched in. The two devices to authenticate correctly, but only the PC is allowed depending on the switch logs.
Switch terminal logs:
Apr 7 09:27:37.836 EDT: %AUTHMGR-5-START: Starting 'mab' for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %MAB-5-SUCCESS: Authentication successful for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:37.945 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 100 assigned to Interface Fa0/1 AuditSessionID UnassignedApr 7 09:27:37.970 EDT: %AUTHMGR-5-FAIL: Authorization failed for client (001b.d585.205e) on Interface Fa0/1 AuditSessionID 0A0A050E000003B93EBE2E09Apr 7 09:27:39.295 EDT: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:43.775 EDT: %DOT1X-5-SUCCESS: Authentication successful for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID Apr 7 09:27:43.783 EDT: %AUTHMGR-5-VLANASSIGN: VLAN 212 assigned to Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082Apr 7 09:27:45.570 EDT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.c547.7069) on Interface Fa0/1 AuditSessionID 0A0A050E000003BA3EBE5082
Config switch:
aaa authentication dot1x default group RADIUS-DOT1Xaaa authorization network default group radius ip radius source-interface Loopback0 radius-server vsa send accountingradius-server vsa send authenticationdot1x system-auth-controldot1x guest-vlan supplicant
Configuration interface:
interface FastEthernet0/1 switchport mode access srr-queue bandwidth share 10 10 60 20 priority-queue out authentication event fail action next-method authentication event server dead action authorize voice authentication event no-response action authorize vlan 999 authentication host-mode multi-auth authentication order dot1x mab authentication port-control auto authentication periodic authentication violation protect mab mls qos trust cos auto qos voip trust dot1x pae authenticator no mdix auto spanning-tree portfast
NPS Windows Server policy:
and
Hello Jim,
Try to use the domain host instead of multi-auth mode multiplayer.
Kind regards
Poonam Garg
Tags: Cisco Security
Similar Questions
-
MAB with Cisco Phone - authorization failed
Hello everyone,
I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.
switchport access vlan 500
switchport mode access
switchport nonegotiate
switchport voice vlan 92
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
macro description mab
auto qos voip cisco-phone
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
I get the following RADIUS logging of the client authentication process.
May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]
May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34
May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128
May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
SER-02-SW01#clear authentication
May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13
I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.
Currently, I don't know where to look further, then maybe some of you can help me!
Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.
Your welcome
Good day!
Jatin kone
-Does the rate of useful messages-
-
802. 1 x authentication with Radius and win7 Mab
Good afternoon!
I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:
21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
(5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
. 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
02E002F3DAC
* Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DACIf I type "see the authentication session", the corresponding output.
Switch #show authentication sessions
Interface MAC address method ID of Session of field status
Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DACThe thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:
1. I restarted my pc, the same behavior.
2. I disabled and enabled my network controller, the same behavior.
3. I rebooted the switch and re-configured. Same behavior.
4. I tried with another PC configuration. Same behavior.
5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.
This is the configuration I have on my switch:
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
AAA - the id of the joint session!
control-dot1x system-auth
!
Switch #show run gigabitEthernet int 1/11
Building configuration...Current configuration: 128 bytes
!
interface GigabitEthernet1/11Cx-to-Host description
switchport access vlan 223
switchport mode access
Auto control of the port of authentication
MAB
endThis is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?
I really hope that I am not the only one with this kind of behavior!
Thank you for any assistance you can give me!
Status: Authz success
This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?
As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.
What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?
IP address: unknown
This means that the switch did not recognize the IP address of the host, probably due to the lack of
analysis of IP device
command. But it is not necessary for the plain MAB or dot1x.
-
Hello!
IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.
I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.
OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.
A simpler explanation is as follows.
E.t.c groups are ficitonal
I have group in AD called "Engineers" that contains 2 users, user A and user B.
Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.
However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.
What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."
I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?
Im a bit confused as you can see it...
Any help will be greatly appreciated!
Thank you!
Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.
ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.
If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.
-
I need to define a password phone my Cisco phone. I already have the administration password.
One can call from my phone when I'm not in my seat. So, I need to put a password for my own good.
Please help me find a solution.
Thank you
Jayan
Hello
Google 'mobility extension '.
With this feature, you can configure the phone's base only be able to dial in their own country. When you log in, your settings of the line and DN are applied which can compose outside.
Concerning
Aaron
-
Cisco ACS wireless authentication
Hello guys,.
I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.
Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure
From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.
I also looking default RADIUS ports 1812 and 1813 the GBA.
On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.
I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.
I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?
For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?
Thank you
Yes it's true, and it applies as well in Wired.
On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
Configuration of WLC and ACS for the RADIUS settings.
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You can visit the listed link below to install the certificate on ACS 4.2
~ BR
Jatin kone* Does the rate of useful messages *.
-
Phone smart blackBerry Smartphones first and I am confused - loads of questions
So, I am trying to get a handle on this new Blackberry. I'm upgrading to a Motorola RAZR v3 and the learning curve is steeper than I expected.
I bought unlocked on amazon.com and slipped my service from T-Mobile Prepaid SIM inside (no data plan). I managed to get my contacts in there (not perfectly, but they are there). I figured out how phone and text (yay).
After a few questions, I finally convinced my router it was OK for the Blackberry to connect. I understood that I must use the Hotspot browser for surfing the net via my wifi connection and successfully, went to gmail and my personal site.
First question: how zoom a page?
Second, I think I can surf very well, but when I check the status, Wifi is not checked, it has a dashboard. I'm sure he had a tick when I first put in place last night. What is the dashboard and how to fix this?
Where is my real problem is set up email - when I go to the configuration of email, I only get the choice of "corporate email. It is not useful
I need to know better what are the limits of the Unit regarding internet access - I thought I could use it as my Ipod Touch, which of course has * only * wifi. I've set up email on this subject, no problem. I have read in various places that it does not require a data plan for electronic mail, in other places, it takes a data plan to "use the wifi. Well, what for, since I can surf the net fine?
Could also use some advice on how to get additional applications, and if they will work through the connection of the phone, wifi, both or none.
Oh! And one of the reasons I bought this particular phone are that it supports UMA - this is supposed to go to the WiFi during a call, if the cell is too low. My cell in my house link of sucks (even with an extension of the cell). It is, on a device with no data plan, but a strong WiFi, that function will work?
Sorry for so many questions, hope that y ' All can help me!
travelcat
JSanders wrote:
Hello and welcome to the Forums of Support BlackBerry.com.
All (or almost) your questions can be answered in one sentence.
You need the BlackBerry data Plan on your account. It will not work on a prepaid account. As simple as that.
With THE BlackBerry data Plan email browser set, full employment, UMA WiFi calling AND it's cute little check mark by the installation of WiFi.
Wait - what about applications? Apps will not work with Wifi either? Why not? Make my Ipod Touch apps...
I spend $100 per YEAR for access to the phone. TMobile wants me to pay $40 a month for a blackberry data plan. Phooey.
-
I had to get a new phone because I dropped one and damaged the screen how am I supposed to remove the information from the old phone if I don't?
Are you turning in the Apple device, a company or the insurer? Can you turn on the device? If so, you could try to send a command to erase with iCloud. If this is not the case, if her deal with Apple, they he will wipe away. If the only damage the screen, you don't want just the screen replaced?
-
Had cracked screen but the phone works still. Today screen is become white, and the phone rang again. Did hard reset and now the phone is completely turned off and will not be exposed - not even the Red of the battery is displayed
He broke. Make an appointment at the genius bar and get it fixed / replaced. There is no magic words that will do well.
-
I have put my school proxy settings and use them very often. On some Web sites, ads continue to use these proxy settings (probably to show me ads based on my preferences or I don't know), and I get the message "Authentication required" time and time again before the end of the loading page. It's annoying because if I have several tabs open and am currently on another page while loading the website with the ads, I'm brought back to this page to authenticate. Can I get asked 3 times to authenticate while this page loads, and it takes forever to load because of this. I don't want to disable my proxy settings because I use it very often. I tried to uncheck the "Accept cookies from Web sites" and nothing happens, it's always the same. I want these ads to stop going through my proxy settings. How do I do that?
Hello
You can try the add-on Adblock Plus . In addition to subscriptions, you can manually add URL patterns or click on an ad to add a filter.
-
How can I reset my "authentication required" username and password? The fields are always filled with my old information.
Follow these steps to delete the recorded data (form) in a drop-down list:
- Click on the (empty) input field on the web page to open the drop-down list
- Select an entry in the drop-down list
- Press the DELETE key (on a Mac: shift + delete) to remove it.
- Tools > Options > Security: passwords: "saved passwords" > "show passwords".
You may need to clear cookies from this site, so if you checked a box to remember you.
-
Hi I want to erase all the data from my current phone if I erase content and settings would be deleted all the data off my sim card? Thanks for your help
Erase the data on your phone will not erase the data on the sim card.
-
I just bought an Iphone 6s and not yet am possession of en from the Sim Card. Ook, do you know if I can use the phone including applications via Wifi and put the chip later? Thank you. Renault JL
No, because if you bought a new iPhone, then you need a SIM card to activate it before you can use the wifi applications.
This is a phone after all, you don't need a sim card any to be able to activate it.
-
My wife and I I have phones and an I Pad on his account. The I-cloud and I-tunes are his accounts and we both use the same for the sharing of photos and contacts. My phone thinks I'm him and when I get calls or texts of others she sees / get them. Can put us in place so that we share our contacts, photos and saves account/billing but having our own identity on our phones etc?
Stop sharing an account. Use home sharing and set up an ID for each of you
-
My phone has a gray spot and he goes but he always comes back and my phone is bulging commandeLorsque I try to push to vertical lines appear so I can't push
Is that an iPhone 5? If so, you may have a battery of swelling which pushes the screen and that may have caused damage to the screen.
Maybe you are looking for
-
imessages will not stick when you restart.
Whenever I have a message on my Mac to my friend the text disappears once I left iMessage. If I send a text from my iphone for me on the mac is the same. I ' ts gone the next time I open IMessages. I use El Capitan 10.11.6. The problem started after
-
First click on the popup icon Star "bookmark this Page".
When I click the icon star on the address bar, I think it should be saved in "Unsorted Bookmarks" by default. but a "bookmark this Page" popup dialog.The page has never set bookmark.Anyone has an idea about this problem?
-
iMac a1225 black screen of death
Hi all I have an iMac 8.1 Model a1225 Seems to crash randomly. I get a black screen but the backlight and the computer seems to stay on. It does it randomly. Seems to be more when the computer is first started upward. After it warms up, it seems to s
-
Satellite M30X with Windows XP does not start
Hello My laptop Toshiba Satellite M30X, over 6 years, working with Windows XP (service pack 2) crashed.After starting the system, start ing starts up (TOSHIBA, touch tomorrow, then press F2 or F12 something like that) then a disc comes the error mess
-
Satellite A200 psaf6a - what RAM do need me?
Hey simply looking at upgrading my ram on my laptop.I looked around and I decided to put in another 2 GB on one because of the 32-bit operating system So what I want to know it the right choice, what type, I need and where can I find it?Is it difficu