Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[Q] Identity Sequence issue causes MAB to auth against AD ??

We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.

We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.

I have set up the folowing Identity Sequence:

AD1 (this is set up as our AD servers for 802.1X user and machine auth)

SecurID Server (we dont use this yet either)

Internal Users (this is just used to authenticate ciscoworks)

Internal Hosts (this contains the list of allowed MAC addresses)

Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.

Here is the successful connection entry (all MAC addresses substituted form the originals)...

Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Network Access

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Hosts

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24412  User not found in Active Directory

24559  Searching for user in the RSA identity store.

24556  User record was not found in the cache.

24210  Looking up User in Internal Users IDStore - 00-1B-78-00-33-00

24216  The user is not found in the internal users identity store.

24209  Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00

24211  Found Host in Internal Hosts IDStore

22037  Authentication Passed

22023  Proceed to attribute retrieval

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24412  User not found in Active Directory

22016  Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - MAB-PC

11022  Added the dACL specified in the Authorization Profile

11002  Returned RADIUS Access-Accept

Here is the failed connection entry....

Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Network Access

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD1

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24416  User's Groups retrieval from Active Directory succeeded

22037  Authentication Passed

22023  Proceed to attribute retrieval

22038  Skipping the next IDStore for attribute retrieval because it is the one we authenticated against

22016  Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile - DenyAccess

15039  Selected Authorization Profile is DenyAccess

11003  Returned RADIUS Access-Reject

Any help greatly appreciated!

  • AAA Identity and NAC
5 REPLIES
Silver

[Q] Identity Sequence issue causes MAB to auth against AD ??

Hello Paul,

Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account? The succes logs show:

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24412  User not found in Active Directory

However, the failure shows:

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24416  User's Groups retrieval from Active Directory succeeded

It seems that the ACS was able to find the MAC Address 00-1B-78-00-33-00 on the AD Domain.

Also, the failed authentication is due to the Authorization Rule. Which conditions have you defined under the Authorization Rule "MAB-PC"?

Please check the following:

1) Was the MAC Address created on the AD Domain as a valid account?

2) Which conditions are defined under the authorization rule MAB-PC in order to match it?

Regards.

New Member

[Q] Identity Sequence issue causes MAB to auth against AD ??

1) Are you sure that the MAC Address 00-1B-78-00-33-00 had not been created as an AD Account?

Yes, I checked with the guy that manages the AD servers and he assures us there is no record anywhere of any mac addresses in AD. I have done my own search and cant find anything in there either. Also, the timestamps of these two authentication attempts are 09:36 and 10:36 (or something like that) and we know we definitely didnt make any changes to AD in that time window.

2) Which conditions have you defined under the Authorization Rule "MAB-PC"?

===== AUTHORIZATION POLICY =====

General
Name: MAB-PC
Status: Enabled

Conditions
[TICKED] NDG:Location in All Locations:AP
[NOT TICKED] AD1:ExternalGroups -ANY-
[TICKED] Compound Condition:
Dictionary AD-AD1 Attribute [blank]

Current Condition Set:
Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient

Results
Authorization Profiles
MAB-PC


===== IDENTITY GROUP =====
Name: NoDot1xClient
Info: This group is assigned to all MAC address Hosts which do not have dot1x enabled.


===== AUTHORIZATION PROFILE =====

Authorization Profile
Name: MAB-PC
Downloadable ACL Name - Static - Value [Permit-IP]
VLAN ID/Name - Static - User-trusted

===== Downloadable ACLs ======

Name - Permit-IP
Downloadable ACL Content: Permit IP Any Any

Silver

[Q] Identity Sequence issue causes MAB to auth against AD ??

Paul,

From the logs, I suspect that for some reason the ACS is able to authenticate the MAC Address against the AD, therefore, failing the authorization condition match at "Current Condition Set:Internal Hosts:HostIdentityGroup in AllGroups:NoDot1xClient".

The ACS will end up hitting the Deny Access rule as it was not able to comply with the condition for the MAB-PC authorization rule.

We should dig further trying to determine why the MAC Address is getting authenticated by AD instead of Internal Hosts.

Regards.

New Member

[Q] Identity Sequence issue causes MAB to auth against AD ??

Hi Carlos, thanks for your help. Do you have any suggestions for how we can determine why the MAC address is getting authenticated by AD?

To help me understand the nature of the issue a bit more, could you help me with the following queries about how 802.1X and ACS works?

If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?

For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?

If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?

Ultimately, I am trying to decide if

a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously or

b) if AD is responding (correctly or incorrectly) with a match or

c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence.

Silver

[Q] Identity Sequence issue causes MAB to auth against AD ??

Hello Paul,

If a switch is configured for dot1x with MAB fallback as ours is, does  the switch still send the MAC address for a dot1x-enabled client as well  as the user and host AD credentials even though the MAC address is not  required for auth in this case?

A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.

For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?

Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.

If the switch invokes MAB and passes just the MAC address to ACS, does  ACS still run the MAC address through the full identity store sequence  which starts with AD1, even though dot1x is not running (and therefore  AD matching is not relevant)?

Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom

Ultimately, I am trying to decide if

a) ACS is passing non-dot1x credentials (namely the MAC address)  to AD erroneously ---> Do not think this might be the case as it will  always pass the credentials to the every database on the specified  order

b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.

c)   if AD is rejecting the MAC address but that the rejection message isnt   triggering the next iteration in the identity store sequence. ---->  Do not think AD is rejecting the MAC Address based on:

24432  Looking up user in Active Directory - 00-1B-78-00-33-00

24416  User's Groups retrieval from Active Directory succeeded

At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side

2653
Views
0
Helpful
5
Replies