Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
4
Replies

MAB status is "NOT RUN" on the IP-PHONE

nicanor00
Level 1
Level 1

‎09-10-2013 11:04 AM - edited ‎03-10-2019 08:53 PM

Hi

I have ISE 1.1 and cisco 2960

I configured MAB in the ISE for the IP phone and the printer

It work because user can print and use IP phone for call

But log is not good for the IP phone

PRINTER use MAB but The  IP phone use dot1x instead of MAB (log below)

There is no computer connected behind the IP phone

I am planning to connect computer on some IP phone in the future, so your helps and suggestion should take care of it

Why MAB is not work on the IP PHONE

Thanks in advance for your help

PRINTER PORT

ISESWITCH#show auth sessions int f0/2  

            Interface:  FastEthernet0/2

          MAC Address:  a0b3.cc9d.6ebb

           IP Address:  192.168.1.150

            User-Name:  A0-B3-CC-9D-6E-BB

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  10

              ACS ACL:  xACSACLx-IP-PERMIT_ALL-52179aa0

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0AFD190A00000B4E11F6003A

      Acct Session ID:  0x000013FF

               Handle:  0x27000B4E

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

IP PHONE PORT

ISESWITCH#show auth sessions int f0/3

            Interface:  FastEthernet0/3

          MAC Address:  001a.7ea7.4a3f

           IP Address:  192.168.2.16

               Status:  Running

               Domain:  UNKNOWN

      Security Policy:  Should Secure

      Security Status:  Unsecure

      Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0AFD190A00000B5011F7919A

      Acct Session ID:  0x0000140D

               Handle:  0xC3000B50

Runnable methods list:

       Method   State

       dot1x    Running

       mab      Not run

ISESWITCH#

configuration of each switch port

interface fastEthernet0/x

switchport access vlan 2

switchport mode access

ip access-group ACL-DEFAULT in

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎09-11-2013 12:39 AM

For Failed Auth and Authorization, I recommend the below tshoot trust sec guide by cisco

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

0 Helpful

nicanor00
Level 1
Level 1
In response to Saurav Lodh

‎09-12-2013 07:26 AM

Hello,

Please I need help

Regards

0 Helpful

Peter Koltl
Level 7
Level 7
In response to nicanor00

‎09-15-2013 02:56 PM

switchport voice vlan

is missing.

Please turn on debug radius then collect debugs for a few minutes.

If the phone (what vendor?) has a certificate, it may attempt 802.1X EAP-TLS

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎09-17-2013 10:38 AM

Sample configuration on interface for MAB

interface range g0/x

switchport mode access

authentication port-control auto

dot1x pae authenticator

mab

authentication open

authentication host-mode multi-auth

switchport access vlan x

switchport voice vlan x

authentication order mab dot1x

authentication priority dot1x mab

no shutdown

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents