Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE mab authentication with Avaya/Nortel switches

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.

When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.

Could this be an issues with the username/password format in the Radius packet from the Cisco?

Thanks in advance for any assistance.

-Kurt

Everyone's tags (7)
5 REPLIES

ISE mab authentication with Avaya/Nortel switches

Kurt,

On your probe configuration do you have the radius probe configured? If so, one way to take a look at the radus packet and to decrypt the password will be to compare the two transactions.

You can take a capture by using the tcpdump tool under the Operations > Diagnostic tools > General Tools > TCPDump.

You can enter the filter "ip host " after setting the option for raw packet data, once you are able to test with the Cisco switch, then stop the capture, download and do it again using the avaya switch.

You can then open the packet capture using wireshark, and in the preferences tab you can select the radius protocol and set the shared secret which will decrypt the password to see what it is, you can also do a comparison as to how the packet is being sent from to the other.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE mab authentication with Avaya/Nortel switches

The problem is with the ISE platform. As it turns out, Cisco is not using the correct radius attribute (as stated in the radius RFC).They are using a cisco attribute that other vendors are not using.

This bug will be fixed in the 2.x release this spring.

Cisco Employee

ISE mab authentication with Avaya/Nortel switches

Kurt, do you have a bug ID for this? It will be nice to have this reference

Thank you for rating helpful posts!
New Member

ISE mab authentication with Avaya/Nortel switches

As requested...

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
 


MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.

The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

Cisco Employee

ISE mab authentication with Avaya/Nortel switches

Thank you for sharing that Kurt (+5) from me. Also, if your issue is resolved please mark the thread as close.

Thank you for rating helpful posts!
2114
Views
5
Helpful
5
Replies