Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3270
Views
5
Helpful
5
Replies

ISE mab authentication with Avaya/Nortel switches

Glnc66inc
Level 1
Level 1

‎08-22-2012 12:46 PM - edited ‎03-10-2019 07:27 PM

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.

When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.

Could this be an issues with the username/password format in the Radius packet from the Cisco?

Thanks in advance for any assistance.

-Kurt

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎08-22-2012 01:17 PM

Kurt,

On your probe configuration do you have the radius probe configured? If so, one way to take a look at the radus packet and to decrypt the password will be to compare the two transactions.

You can take a capture by using the tcpdump tool under the Operations > Diagnostic tools > General Tools > TCPDump.

You can enter the filter "ip host " after setting the option for raw packet data, once you are able to test with the Cisco switch, then stop the capture, download and do it again using the avaya switch.

You can then open the packet capture using wireshark, and in the preferences tab you can select the radius protocol and set the shared secret which will decrypt the password to see what it is, you can also do a comparison as to how the packet is being sent from to the other.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Glnc66inc
Level 1
Level 1

‎02-28-2013 12:32 PM

The problem is with the ISE platform. As it turns out, Cisco is not using the correct radius attribute (as stated in the radius RFC).They are using a cisco attribute that other vendors are not using.

This bug will be fixed in the 2.x release this spring.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Glnc66inc

‎03-01-2013 08:51 AM

Kurt, do you have a bug ID for this? It will be nice to have this reference

0 Helpful

Glnc66inc
Level 1
Level 1
In response to nspasov

‎03-01-2013 10:59 AM

As requested...

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732


MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.

The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

nspasov
Cisco Employee
Cisco Employee
In response to Glnc66inc

‎03-07-2013 06:28 PM

Thank you for sharing that Kurt (+5) from me. Also, if your issue is resolved please mark the thread as close.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents