07-16-2018 04:02 AM - edited 02-21-2020 11:00 AM
hi
I deployed 802.1x and MAB in Cisco ISE 2.3 on switches which all have ios 15.2 version:
aaa new-model
!
!
!
aaa group server radius ISE-R
server 192.168.100.248 auth-port 1812 acct-port 1813 key dot1x
!
aaa authentication dot1x default group ISE-R local
aaa authorization config-commands
aaa authorization network default group ISE-R local
aaa accounting update periodic 5
aaa accounting identity default start-stop group ISE-R
aaa accounting system default start-stop group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa server radius dynamic-author
client 192.168.100.248 server-key dot1x
!
!
!
!
!
aaa session-id common
dot1x system-auth-control
snmp-server community public RO
snmp-server trap-source Vlan 100
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.100.248 version 2c public mac-notification snmp
radius-server attribute 6 support-multiple
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
Radius-server vsa send accounting
Radius-server vsa send authentication
Ip radius source-interface vlan <>
!
radius server ISE-R
address ipv4 192.168.100.248 auth-port 1812 acct-port 1813
timeout 3
key dot1x
////11111111////
dot1x system-auth-control
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
/////222222////
parameter-map type webauth AI_NRH_PMAP
type authbypass
!
!
parameter-map type webauth AI_WEBAUTH_PMAP
type webauth
!
vlan internal allocation policy ascending
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB_FAILED
!
!
!
//////33333//////
policy-map type control subscriber POLICY_Interface
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
/////interface configuration//////////
switchport access vlan <>
switchport mode access
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
service-policy type control subscriber POLICY_Interface
all end users work fine until the power outage, after power outage and when switches booting up some users couldnt access to network and in switch "authentication failed" log appeared (but some users still work fine), in RADIUS LIVE LOGS in cisco ise I saw those users with authentication failed log checked by MAB instead of dot1x role in ISE , so I remove the "Mab" command from interface configuration , after this change, after power outage there isnt any "authentication failed" log in switch anymore but some users still didnt have network access , for solution they must unplug and plug their network cable from their cases,then they have network access, what's wrong with 802.1x ?? or its from my configuration ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide