RADIUS 'lost carrier' MAB failure

leesutcliffe · ‎03-18-2014

Hello

I am having an intermitent issue with MAB on various switches.

On the whole, MAB works. We are not using dot1x and using MAC addresses as the only form of validation for network access.

However if switches are rebooted following an upgrade/replacement or even at the start of the day when users terminals are first powered on a small percentage of devices are not permited access. On investigation the MAC addresses of these devices are being dropped:

sh mac address-table | i Drop
10 0080.648e.e12a DYNAMIC Drop

This can easily bve resolved by either, clearing the MAC table, re-setting the port or re patching the attached phone. However this isn't an ideal situation when the issue is happening at various sites worldwide.

I managed to catpture in debugs the dropped MAC and the reason in the RADIUS packet was 'lost carrier'

Mar 18 08:48:52.571 GMT: mab-ev(Fa2/0/3): Sending create new context event to EAP from MAB for 0x94010061 (0080.648e.745e)

Mar 18 08:48:52.571 GMT: mab-ev: created mab pseudo dot1x profile dot1x_mac_auth_0080.648e.745e
Mar 18 08:48:52.571 GMT: mab-ev(Fa2/0/3): Starting MAC-AUTH-BYPASS for 0x94010061 (0080.648e.745e)

Mar 18 08:48:52.588 GMT: mab-ev(Fa2/0/3): MAB received an Access-Reject for 0x94010061 (0080.648e.745e)
Mar 18 08:48:52.588 GMT: %MAB-5-FAIL: Authentication failed for client (0080.648e.745e) on Interface Fa2/0/3 AuditSessionID Unassigned

Mar 18 08:48:52.588 GMT: mab-ev(Fa2/0/3): Received ABORT event from Auth Mgr for 0x94010061 (0080.648e.745e)
Mar 18 08:48:52.588 GMT: mab-ev(Fa2/0/3): Deleted credentials profile for 0x94010061 (dot1x_mac_auth_0080.648e.745e)

Mar 18 08:48:52.596 GMT: RADIUS: Acct-Session-Id     [44] 10 "0001D518"
Mar 18 08:48:52.596 GMT: RADIUS: Calling-Station-Id [31] 19 "00-80-64-8E-74-5E"
Mar 18 08:48:52.596 GMT: RADIUS: Vendor, Cisco       [26] 49
Mar 18 08:48:52.596 GMT: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AA7630B0001D119CB77A8D6"
Mar 18 08:48:52.596 GMT: RADIUS: Framed-IP-Address   [8]   6   x.x.x.x
Mar 18 08:48:52.605 GMT: RADIUS: User-Name           [1]   14 "0080648e745e"
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Terminate-Cause[49] 6   lost-carrier              [2]
Mar 18 08:48:52.605 GMT: RADIUS: Vendor, Cisco       [26] 32
Mar 18 08:48:52.605 GMT: RADIUS:   Cisco AVpair       [1]   26 "disc-cause-ext=No Reason"
Mar 18 08:48:52.605 GMT: RADIUS: Vendor, Cisco       [26] 34
Mar 18 08:48:52.605 GMT: RADIUS:   Cisco AVpair       [1]   28 "connect-progress=Auth Open"
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Session-Time   [46] 6   86774
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Input-Octets   [42] 6   23488141
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Output-Octets [43] 6   331714681
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Input-Packets [47] 6   287464
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Output-Packets [48] 6   985979
Mar 18 08:48:52.605 GMT: RADIUS: Acct-Status-Type    [40] 6   Stop                      [2]
Mar 18 08:48:52.605 GMT: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mar 18 08:48:52.605 GMT: RADIUS: NAS-Port            [5]   6   50203
Mar 18 08:48:52.605 GMT: RADIUS: NAS-Port-Id         [87] 19 "FastEthernet2/0/3"
Mar 18 08:48:52.605 GMT: RADIUS: Called-Station-Id   [30] 19 "24-01-C7-F4-97-85"
Mar 18 08:48:52.605 GMT: RADIUS: Class               [25] 31

Does any have any ideas on how to prevent this from happening? As I mentioned, it only seems to occour when devices are first powered on, or connectivity is restored following a switch reboot/upgrade.

Thanks