I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.
I tried using the following solution as well,
it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.
Can someone exactly confirm whats the issue over here and how to resolve?
My config on port is as follows,
switchport mode access
authentication host-mode single-host
authentication port-control auto
authentication violation restrict
authentication control-direction in
what does the show auth session interface int ten 1/1/9 look like when the port is authorized?
Does an IP address show up in the output?
No, its not showing any IP , the status looks like as follows,
sh authentication sessions interface gi2/0/46
AC Address: 0050.c2a8.0ffb
IP Address: Unknown
Status: Authz Success
Oper host mode: single-host
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA000390000002A12EFCB63
Acct Session ID: 0x00000197
Runnable methods list:
mab Authc Success
Can you paste a show access-list xACSACLx-IP-SSH-PERMIT-ALL-5270ce52 or what ever the current dACL that is applied when you first get authenticated?
So the switch will take the learned IP address and modify the dACL applied with the new IP address learned from the port. If it doesn't learn an IP, then it can't modify the dACL. I think if your dACL is truely "permit ip any any" then it should work. You might try to add "permit icmp any any" to the dACL, if ping is what you are looking for. Also, is the end device learning it's IP address from DHCP or is it static?
Its static, actually this is where from the orignal problem initiated. Coz of static IP the MAB was not getting initialized and so I have to use the command,
"authentication control-direction in".
But still not able to ping.
I have manage to put the above mention commands " ip device tracking probe use-svi" and it is working for some devices/ports. But on other occassions it is not working.
It works after I tried to remove it then re-add the MAB commands and shut /unshut port several times and then try to ping simultaneously.
The difference I can see is that when it correctly accept the device , in ACS monitoring I can see the entries for both Authentication and ACL while otherwise only Authentication entry is there. Kindly see the attached pic here.
I want to know what is causing ACS to stop the ACL entry on occasions?
Also in 2nd attachment (it is for successful auth) you can see the below output which should not be there by right? is it something to do with my MAB issue as well?
"24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory"
I would add it and try. The reference below is for webauth but since cwa is really MAB, it still applies.
Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
•ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address.
•Dynamic ARP inspection
•DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.
I have tried with adding in the command "IP device tracking", but still not getting authentication.
Is there any other alternative for this?
I have tried with adding in the command "IP device tracking", but still not getting MAB initiated when port comes up.
Is there any other alternative for this? or any technical docment specifically referring this kind of issues?
With "IP device tracking" configured, add the following command to the switch:
ip device tracking probe use-svi
bounce the port and issue a 'show ip device track interface gi2/0/46'
I was checking the use of this command and came across with this statement saying
" The caveat to this method is that an SVI must exist on every switch in every VLAN where
Windows clients who run DHCP reside."
and In my setup, mostly edge switches are running on layer 2 purely. SVIs are created on core switches where routing is done. so wondering if this command will still supports and the purpose can be achieved?
The command still applies. I have used this command with "use svi" and built a local svi on the edge switch just for this reason. The ip device tracking uses arp to resolve the ip address. Some device dont respond like others. By using the use svi command you source it directly from the edge switch. I know it's a pain to build an svi for each vlan that is using static IPs but it may be the only way. Try it on one and let us know the outcome.
Sent from Cisco Technical Support Android App
The customer use case (detailed below) is essentially MAB for protected devices on specific ports to one server and all other ports would point to a separate server. Is this something that could be accomplished via SANet? This would of course require them to upgrade all affected access switches assuming what Hsing-Tsu mentioned below is true and we're limited to 3650/3850 today.
You can have different RADIUS servers for for dot1x and MAB when you use identity policy (SANet).
You can create two policies doing the same thing (eg MAB) but use different RADIUS servers.
You would then have a different policy attached to the port groups in question.