09-15-2014 05:30 PM - edited 03-10-2019 10:01 PM
Hello, I have a trouble with MAB.
I have a SW 3560 configuring with MAB for Authentication, and I have a ISE.
I tried with Multi-Domain Authentication, and priority with dot1x mab.
At the finish, I have this configuration on the Port.
interface GigabitEthernet0/2
switchport access vlan 451
switchport mode access
ip access-group ACL-AD in
shutdown
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
end
This configuration works, but just for few minutes, I don't know why after this time the DACL is dropped.
As you can see, on this logs, after this events, the DACL is removed...
I attach, the entire configuration.
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:47.660: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:06 - Interface: GigabitEthernet0/2
09/15/19:06 - MAC Address: 0c85.253e.9229
09/15/19:06 - IPv6 Address: Unknown
09/15/19:06 - IPv4 Address: 172.31.3.4
09/15/19:06 - User-Name: 0C-85-25-3E-92-29
09/15/19:06 - Status: Authorized
09/15/19:06 - Domain: DATA
09/15/19:06 - Oper host mode: single-host
09/15/19:06 - Oper control dir: both
09/15/19:06 - Session timeout: N/A
09/15/19:06 - Common Session ID: AC1869FC00000030265556C0
09/15/19:06 - Acct Session ID: 0x00000023
09/15/19:06 - Handle: 0xD1000016
09/15/19:06 - Current Policy: POLICY_Gi0/2
09/15/19:06 -
09/15/19:06 - Local Policies:
09/15/19:06 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:06 - Security Policy: Should Secure
09/15/19:06 - Security Status: Link Unsecure
09/15/19:06 -
09/15/19:06 - Server Policies:
09/15/19:06 - ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-517998c3
09/15/19:06 -
09/15/19:06 - Method status list:
09/15/19:06 - Method State
09/15/19:06 - mab Authc Success
09/15/19:06 -
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:06:51.913: AAA/AUTHOR: auth_need : user= 'axtel' ruser= 'MS-C3560-1'rem_addr= '172.18.2.1' priv= 15 list= '' AUTHOR-TYPE= 'commands'
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xD1000016)
09/15/19:06 - Sep 16 00:07:05.823: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay remove sync of addr for 0c85.253e.9229 / 0xD1000016
09/15/19:06 - MS-C3560-1#
09/15/19:06 - Sep 16 00:07:05.823: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0c85.253e.9229| AuditSessionID AC1869FC00000030265556C0| EVENT IP-RELEASE
09/15/19:07 - MS-C3560-1#show authentication sessions interface gig0/2 details
09/15/19:07 - Interface: GigabitEthernet0/2
09/15/19:07 - MAC Address: 0c85.253e.9229
09/15/19:07 - IPv6 Address: Unknown
09/15/19:07 - IPv4 Address: Unknown
09/15/19:07 - User-Name: 0C-85-25-3E-92-29
09/15/19:07 - Status: Authorized
09/15/19:07 - Domain: DATA
09/15/19:07 - Oper host mode: single-host
09/15/19:07 - Oper control dir: both
09/15/19:07 - Session timeout: N/A
09/15/19:07 - Common Session ID: AC1869FC00000030265556C0
09/15/19:07 - Acct Session ID: 0x00000023
09/15/19:07 - Handle: 0xD1000016
09/15/19:07 - Current Policy: POLICY_Gi0/2
09/15/19:07 -
09/15/19:07 - Local Policies:
09/15/19:07 - Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
09/15/19:07 - Security Policy: Should Secure
09/15/19:07 - Security Status: Link Unsecure
09/15/19:07 -
09/15/19:07 - Server Policies:
09/15/19:07 -
09/15/19:07 - Method status list:
09/15/19:07 - Method State
09/15/19:07 - mab Authc Success
09/15/19:07 -
09/15/19:07 - MS-C3560-1#
09-16-2014 06:01 AM
Refer the link : https://learningnetwork.cisco.com/thread/68792
09-17-2014 06:47 AM
Your link help me to found, other link.
I think, I found the error.
MS-C3560-1(config)#no ip device tracking probe auto-source override
MS-C3560-1(config)#ip device tracking
MS-C3560-1#
Sep 17 13:18:01.016: AUTH-EVENT: [0c85.253e.9229, Gi0/2] Received internal event SINGLE_ID_UPDATE (handle 0xC3000003)
Sep 17 13:18:01.016: AUTH-SYNC: [0c85.253e.9229, Gi0/2] Delay add/update sync of addr for 0c85.253e.9229 / 0xC3000003
MS-C3560-1#
09-16-2014 11:56 PM
I can't see the command "radius-server vsa send" in your config. I've had trouble with the dACL not downloading correctly when that command is missing.
What does the log in ISE say?
09-17-2014 06:42 AM
The vsa commands, is like turn on by default.
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
MS-C3560-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
MS-C3560-1(config)#radius-server vsa send ?
accounting Send in accounting requests
authentication Send in access requests
cisco-nas-port Send cisco-nas-port VSA(2)
<cr>
MS-C3560-1(config)#radius-server vsa send accounting
MS-C3560-1(config)#radius-server vsa send authentication
MS-C3560-1(config)#
MS-C3560-1(config)#
MS-C3560-1(config)#end
MS-C3560-1#sh run | inc vsa
MS-C3560-1#
For the ISE, I don't have any events for auth fail or something.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: