Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MAB Authentication with no response

Hi All,

I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.

I tried using the following solution as well,

https://supportforums.cisco.com/thread/2015988

it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.

Can someone exactly confirm whats the issue over here and how to resolve?

My config on port is as follows,

!

int ten1/1/9

switchport mode access

authentication host-mode single-host

authentication port-control auto

authentication violation restrict

authentication control-direction in

mab

!

Regards,


17 REPLIES
Cisco Employee

MAB Authentication with no response

what does the show auth session interface int ten 1/1/9 look like when the port is authorized?

Does an IP address show up in the output?

Community Member

MAB Authentication with no response

Hi Robert,

No, its not showing any IP , the status looks like as follows,

sh authentication sessions interface gi2/0/46

                    Interface:  GigabitEthernet2/0/46
              AC Address:  0050.c2a8.0ffb
                IP Address:  Unknown
                User-Name:  00-50-C2-A8-0F-FB
                        Status:  Authz Success
                      Domain:  DATA
        Oper host mode:  single-host
          Oper control dir:  in
             Authorized By:  Authentication Server
                  Vlan Policy:  N/A
                    ACS ACL:  xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
          Session timeout:  N/A
                   Idle timeout:  N/A
   Common Session ID:  0AA000390000002A12EFCB63
      Acct Session ID:  0x00000197
               Handle:  0xA600002B

Runnable methods list:
       Method   State
       mab      Authc Success

Regards

Hammad

Cisco Employee

MAB Authentication with no response

Can you paste a show access-list xACSACLx-IP-SSH-PERMIT-ALL-5270ce52 or what ever the current dACL that is applied when you first get authenticated?

Community Member

MAB Authentication with no response

Hi Bruce,

My DAcl is like this,

!

permit ip any any

!

Cisco Employee

MAB Authentication with no response

So the switch will take the learned IP address and modify the dACL applied with the new IP address learned from the port.  If it doesn't learn an IP, then it can't modify the dACL.  I think if your dACL is truely "permit ip any any" then it should work.  You might try to add "permit icmp any any" to the dACL, if ping is what you are looking for.  Also, is the end device learning it's IP address from DHCP or is it static? 

Community Member

MAB Authentication with no response

Hi Bruce,

Its static, actually this is where from the orignal problem initiated. Coz of static IP the MAB was not getting initialized and so I have to use the command,

"authentication control-direction in".

But still not able to ping.

Community Member

Hi Team, I have manage to put

Hi Team,

 

I have manage to put the above mention commands " ip device tracking probe use-svi" and it is working for some devices/ports. But on other occassions it is not working.

It works after I tried to remove it then re-add the MAB commands and shut /unshut port several times and then try to ping simultaneously.

The difference I can see is that when it correctly accept the device , in ACS monitoring I can see the entries for both Authentication and ACL while otherwise only Authentication entry is there. Kindly see the attached pic here.

I want to know what is causing ACS to stop the ACL entry on occasions?

Also in 2nd attachment (it is for successful auth) you can see the below output which should not be there by right? is it something to do with my MAB issue as well?

"24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory"

 

Regards,

hammad 

Community Member

Hi Team,Can anyone of the

Hi Team,


Can anyone of the Guru's help? :)


Regards

Hammad

Cisco Employee

MAB Authentication with no response

DO you have "IP device tracking" enabled on the switch?

Community Member

MAB Authentication with no response

No we dont have this command on switch.

Cisco Employee

MAB Authentication with no response

I would add it and try.  The reference below is for webauth but since cwa is really MAB, it still applies.

Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.

For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:

ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.

Dynamic ARP inspection

DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.

Community Member

MAB Authentication with no response

Hi Bruce,

I have tried with adding in the command "IP device tracking", but still not getting authentication.

Is there any other alternative for this?

Regards,

Hammad Raza

Community Member

Re: MAB Authentication with no response

Hi Team,

I have tried with adding in the command "IP device tracking", but still not getting MAB initiated when port comes up.

Is there any other alternative for this? or any technical docment specifically referring this kind of issues?

Regards,

Cisco Employee

Re: MAB Authentication with no response

With "IP device tracking" configured, add the following command to the switch:

ip device tracking probe use-svi

bounce the port  and issue a 'show ip device track interface gi2/0/46'

Community Member

Re: MAB Authentication with no response

Hi Robert,

I was checking the use of this command and came across with this statement saying

" The caveat to this method is that an SVI must exist on every switch in every VLAN where

Windows clients who run DHCP reside."

and In my setup, mostly edge switches are running on layer 2 purely. SVIs are created on core switches where routing is done. so wondering if this command will still supports and the purpose can be achieved?

Regards,

Hammad

Cisco Employee

Re:MAB Authentication with no response

Hammad,

The command still applies. I have used this command with "use svi" and built a local svi on the edge switch just for this reason. The ip device tracking uses arp to resolve the ip address. Some device dont respond like others. By using the use svi command you source it directly from the edge switch. I know it's a pain to build an svi for each vlan that is using static IPs but it may be the only way. Try it on one and let us know the outcome.


Sent from Cisco Technical Support Android App

Community Member

MAB Authentication with no response

The customer use case (detailed below) is essentially MAB for protected devices on specific ports to one server and all other ports would point to a separate server. Is this something that could be accomplished via SANet? This would of course require them to upgrade all affected access switches assuming what Hsing-Tsu mentioned below is true and we're limited to 3650/3850 today.

You can have different RADIUS servers for for dot1x and MAB when you use identity policy (SANet).

You can create two policies doing the same thing (eg MAB) but use different RADIUS servers.

You would then have a different policy attached to the port groups in question.

1095
Views
5
Helpful
17
Replies
CreatePlease to create content