I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
What version of code are you running on your switch? Also, can you confirm that the ISE nodes are showing up when you issue "show aaa serers"
Version : 12.2(55)SE
I am not using that command but I think that the switch noticed ISE is up bacause when I connect the other (second) end device (on a different switch port ) it is authorized and all work well but the current one which is put in the critical VLAN is still there. It can change this state when the reauthentication timer expired and reauthenticate.
Take a look at the compatibility matrix for ISE:
The 3750v is not specifically listed but it is supported under the 3750 family. However, if you are getting new switches, I would highly recommend that you go with the 3850s.
Thank you for rating helpful posts!
Kindly review the below link:
"Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco
IOS Release 12.2.(53)SE."
I would like to confirm that the switch version is more than 12.2(53)SE I think that used version was 12.2(55)SE.
Could you please provide the debugs to investigate this issue.
You need to run the following debugs
debug dot1x all
debug aaa authen
duplicate the issue at will (if it's possible) and share the outputs.
**Do rate helpful posts**
I represent the issue again. The all Switch session is attached the debug otput is there too.
Can you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x
As I mentioned in my previous post to Jatin I represent the same case and all session (including running config) is attached to the discussion.
According your quiestion : aaa server radius dynamic-author is there but now the ISE servers IP is different.
If you wish you can review the configuration, debug output and some other commands output in the attached document. The issue is the same.