Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAB / IP Phone / ISE - Woks Fine for few minutes -

Hello, I have a trouble with MAB.

I have a SW 3560 configuring with MAB for Authentication, and I have a ISE.

 

I tried with Multi-Domain Authentication, and priority with dot1x mab.

 

At the finish, I have this configuration on the Port.

 

interface GigabitEthernet0/2
 switchport access vlan 451
 switchport mode access
 ip access-group ACL-AD in
 shutdown
 authentication port-control auto
 mab
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

This configuration works, but just for few minutes,  I don't know why after this time the DACL is dropped.

As you can see, on this logs, after this events, the DACL is removed...

 

I attach, the entire configuration.

 

 

09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:47.660: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:06 -             Interface:  GigabitEthernet0/2
09/15/19:06 -           MAC Address:  0c85.253e.9229
09/15/19:06 -          IPv6 Address:  Unknown
09/15/19:06 -          IPv4 Address:  172.31.3.4
09/15/19:06 -             User-Name:  0C-85-25-3E-92-29
09/15/19:06 -                Status:  Authorized
09/15/19:06 -                Domain:  DATA
09/15/19:06 -        Oper host mode:  single-host
09/15/19:06 -      Oper control dir:  both
09/15/19:06 -       Session timeout:  N/A
09/15/19:06 -     Common Session ID:  AC1869FC00000030265556C0
09/15/19:06 -       Acct Session ID:  0x00000023
09/15/19:06 -                Handle:  0xD1000016
09/15/19:06 -        Current Policy:  POLICY_Gi0/2
09/15/19:06 -
09/15/19:06 - Local Policies:
09/15/19:06 -         Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:06 -       Security Policy:  Should Secure
09/15/19:06 -       Security Status:  Link Unsecure
09/15/19:06 -
09/15/19:06 - Server Policies:
09/15/19:06 -               ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-517998c3
09/15/19:06 -
09/15/19:06 - Method status list:
09/15/19:06 -        Method           State
09/15/19:06 -        mab              Authc Success
09/15/19:06 -
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:51.913: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xD1000016)
09/15/19:06 - Sep 16 00:07:05.823: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay remove sync of addr for 0c85.253e.9229 / 0xD1000016
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0c85.253e.9229| AuditSessionID AC1869FC00000030265556C0| EVENT IP-RELEASE
09/15/19:07 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:07 -             Interface:  GigabitEthernet0/2
09/15/19:07 -           MAC Address:  0c85.253e.9229
09/15/19:07 -          IPv6 Address:  Unknown
09/15/19:07 -          IPv4 Address:  Unknown
09/15/19:07 -             User-Name:  0C-85-25-3E-92-29
09/15/19:07 -                Status:  Authorized
09/15/19:07 -                Domain:  DATA
09/15/19:07 -        Oper host mode:  single-host
09/15/19:07 -      Oper control dir:  both
09/15/19:07 -       Session timeout:  N/A
09/15/19:07 -     Common Session ID:  AC1869FC00000030265556C0
09/15/19:07 -       Acct Session ID:  0x00000023
09/15/19:07 -                Handle:  0xD1000016
09/15/19:07 -        Current Policy:  POLICY_Gi0/2
09/15/19:07 -
09/15/19:07 - Local Policies:
09/15/19:07 -         Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:07 -       Security Policy:  Should Secure
09/15/19:07 -       Security Status:  Link Unsecure
09/15/19:07 -
09/15/19:07 - Server Policies:
09/15/19:07 -
09/15/19:07 - Method status list:
09/15/19:07 -        Method           State
09/15/19:07 -        mab              Authc Success
09/15/19:07 -
09/15/19:07 - MS-C3560-1#

 

 

 

Everyone's tags (1)
4 REPLIES
Cisco Employee

Refer the link : https:/

New Member

Your link help me to found,

Your link help me to found, other link.

 

I think, I found the error.

 

MS-C3560-1(config)#no ip device tracking probe auto-source override
MS-C3560-1(config)#ip device tracking

MS-C3560-1#
Sep 17 13:18:01.016: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xC3000003)
Sep 17 13:18:01.016: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay add/update sync of addr for 0c85.253e.9229 / 0xC3000003
MS-C3560-1#

New Member

I can't see the command

I can't see the command "radius-server vsa send" in your config. I've had trouble with the dACL not downloading correctly when that command is missing.

What does the log in ISE say?

New Member

The vsa commands, is like

The vsa commands, is like turn on by default.

 

MS-C3560-1#sh run | inc vsa
MS-C3560-1#
MS-C3560-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
MS-C3560-1(config)#radius-server vsa send ?
  accounting      Send in accounting requests
  authentication  Send in access requests
  cisco-nas-port  Send cisco-nas-port VSA(2)
  <cr>

MS-C3560-1(config)#radius-server vsa send accounting  
MS-C3560-1(config)#radius-server vsa send authentication
MS-C3560-1(config)#
MS-C3560-1(config)#
MS-C3560-1(config)#end
MS-C3560-1#sh run | inc vsa
MS-C3560-1#

 

For the ISE, I don't have any events for auth fail or something.

410
Views
0
Helpful
4
Replies
CreatePlease to create content