Cisco ISE 1.3 MAB authentication.. switch drop packet

Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
 client 172.16.95.x server-key 7 02050D480809
 client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
 switchport access vlan x
 switchport mode access
 switchport voice vlan x
 authentication event fail action next-method
 --More--         authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
 --More--         snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
 --More--         tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login authentication CONSOLE
line vty 0 4
 access-class telnet_access in
 exec-timeout 0 0
 logging synchronous
 --More--         login authentication ACS
 transport input ssh

 24423  ISE has not been able to confirm previous successful machine authentication  
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

Similar Messages

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco ISE - line posture node and switch connection.

    I am studying how Cisco ISE - Inline Posture Node working under the Bridge Mode. I learned that I need to configure the vlan mapping between the untrusted and trusted interfaces of IPN device ( http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html - Figure 10-6).
    Does that mean I can setup a 802.1Q trunk link between the switch port and trusted/untrusted interface on IPN? Is there any vlan mapping entry limitation? Thanks.

    Please review the below link which might also be  helpful:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

  • Cisco ISE Machine failed machine authentication

    Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
    We have a rule that says :
    1) User is domain user.
    2) Machine is authenticated.
    But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
    This is the message I found in the "steps"
    24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    I was wondering if I could force something on the controller or on ISE directly.
    EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
    Would I be able to force this as a step in my other rule.

    Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
    Failure Reason
    15039 Rejected per authorization profile
    Resolution
    Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
    Steps
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12300
    Prepared EAP-Request proposing PEAP with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - IdentityStore_AD_liadom01
    24430
    Authenticating user against Active Directory
    24402
    User authentication against Active Directory succeeded
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    24423
    ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    15036
    Evaluating Authorization Policy
    24432
    Looking up user in Active Directory - LIADOM01\lidoex
    24416
    User's Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - AuthZBlock_DOT1X
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject
    Edit : I found a couple of these :
    Event
    5400 Authentication failed
    Failure Reason
    24485 Machine authentication against Active Directory has failed because of wrong password
    Resolution
    Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
    Root cause
    Machine authentication against Active Directory has failed because of wrong password.
    Username
    host/MachineName
    I also have an alarming number of : Misconfigured Supplicant Detected(3714)

  • ISE mab authentication with Avaya/Nortel switches

    Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
    When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
    Could this be an issues with the username/password format in the Radius packet from the Cisco?
    Thanks in advance for any assistance.
    -Kurt

    As requested...
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
    chBugDetails&bugId=CSCuc22732
    MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
    The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Radius Health Check - Cisco ISE

    I have one Cisco ISE setup with AD authentication. I want to configure radius helth check how it can be confiured on switches.
    Best Regards,          

    For example if we have too many authentications per second, more than what the PSN Specifications are designed for. In such cases we've to distribute the radius load to other PSN’s. You can also run Catalog report to draw a graph of Radius latency per PSN instance under Operations>Catalog>Server Health Summary> Last 7 days> PSN Hostname.
    This will only give you a trend of radius latency but not the reasons why. You need to go through logs of the concerned PSN to find out whats going on the PSN. Certainly Radius latency greater than 3 Seconds is concerning. In such scenarios we have to download the support bundle and analyse the logs.
    Cisco ISE Dashboard Monitoring
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wp1226014
    Jatin Katyal
    - Do rate helpful posts -

  • OpenLdap Cisco ISE 1.2

    Is OpenLdap supported by Cisco ISE 1.2?
    When I try "Test bind to server" I get results so the connection seems fine. However when I set up the policies for a basic wlan with wpa2 authentication it says "Invalid password". When I put my username in the attributes folder it finds my id so I'm sure the link is working fine.

    Cisco ISE always uses the primary LDAP  server to obtain groups and attributes for use in authorization policies  from the Admin portal, so the  primary LDAP server must be accessible when you configure these items.  Cisco ISE uses the secondary LDAP server only for authentications and  authorizations at run time, according to the failover configuration. 
    Cisco ISE retains a list of  open LDAP connections (including the binding information) for each LDAP  server that is configured in Cisco  ISE. During the authentication process, the connection manager attempts  to find an open connection from the pool. If an open connection does not  exist, a new one is opened.
    If the LDAP server closed the  connection, the connection manager reports an error during the first  call to search the directory, and tries to renew the connection. After  the authentication process is complete, the connection manager releases  the connection.
    Please check the  below link which can helpful for you:
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ui_reference_administration.html#wpxref71565

  • Cisco ISE with multiple Network interface

    Hello,
    I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS  authentication request to external RADIUS Proxy server.
    Could not find above information in Cisco SNS-3400 Series Appliance Ports Reference.
    http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html
    Thanks
    Kumar

    Thanks Ahmad for the reply.
    Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-
    Eth0
    Eth1
    Eth2
    Eth3
    Policy   Service node
    Session
    •UDP:1645, 1812 (RADIUS Authentication)
    •UDP:1646, 1813 (RADIUS Accounting)
    •UDP: 1700 (RADIUS change of authorization Send)
    •UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
    External   Identity Stores
    and Resources
    •TCP: 389, 3268, UDP: 389 (LDAP)
    •TCP: 445 (SMB)
    •TCP: 88, UDP: 88 (KDC)
    •TCP: 464 (KPASS)
    •UDP: 123 (NTP)
    •TCP: 53, UDP: 53 (DNS)
    (Admin user interface authentication and endpoint authentication)
    In external Identity Stores and Resources it says Eth0 is used for (Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.
    I am not sure what I am missing to understand between the two if you can highlight that.
    Thanks
    Kumar

  • Cisco ISE in Apple Mac Environment

    Hi,
    One of our clients need to implement BYOD in their network. They are using Mac servers and clients. The requirement is to authenticate (wireless) users against the Mac directory server, in order to provide access to resources. I am trying to figure out whether Cisco ISE can perform LDAP authentication with Mac server. As per this document, Mac server is not a supported external identity source/LDAP server. Currently they are providing access to users by adding MAC addresses to WLC manually, which is not practical now due to increase in number of end devices, and limitation in MAC addresses supported by WLC (2048).
    Is it possible to implement this? Has anyone came across similar scenario?
    Thanks,
    John

    The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other attributes that are associated with the user for use in authorization policies. You must configure the external identity source that contains your user information in Cisco ISE. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles.
    Both internal and external identity sources can be used as the authentication source for sponsor authentication and also for authentication of remote guest users.
    Table 5-1 lists the identity sources and the protocols that they support.
    Table 5-1 Protocol Versus Database Support 
     Protocol (Authentication Type)
     Internal Database
     Active Directory
     LDAP1
     RADIUS Token Server or RSA
     EAP-GTC2 , PAP3 (plain text password)
     Yes
     Yes
     Yes
     Yes
     MS-CHAP4 password hash: MSCHAPv1/v25  EAP-MSCHAPv26  LEAP7
     Yes
     Yes
     No
     No
     EAP-MD58  CHAP9
     Yes
     No
     No
     No
     EAP-TLS10  PEAP-TLS11  (certificate retrieval) Note For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required, but are optional and can be added for authorization policy conditions.
     No
     Yes
     Yes
     No
     1 LDAP = Lightweight Directory Access Protocol. 2 EAP-GTC = Extensible Authentication Protocol-Generic Token Card 3 PAP = Password Authentication Protocol 4 MS-CHAP = Microsoft Challenge Handshake Authentication Protocol 5 MS-CHAPv1/v2 = Microsoft Challenge Handshake Authentication Protocol Version 1/Version 2 6 EAP-MSCHAPv2 = Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol Version 2 7 LEAP = Lightweight Extensible Authentication Protocol 8 EAP-MD5 = Extensible Authentication Protocol-Message Digest 5 9 CHAP = Challenge-Handshake Authentication Protocol 10 EAP-TLS = Extensible Authentication Protocol-Transport Layer Security 11 PEAP-TLS = Protected Extensible Authentication Protocol-Transport Layer Security
    and for the WLC Check the Link : www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

  • Cisco ISE & 3750 Switch MAB configuration Issue

    Hi,
    I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
    Here is the test switch configuration :
    interface FastEthernet0/22
    switchport access vlan 10
    switchport mode access
    authentication event fail action next-method
    authentication event server dead action authorize vlan 11
    authentication event server alive action reinitialize
    authentication order mab dot1x
    authentication priority mab dot1x
    authentication port-control auto
    authentication periodic
    authentication violation restrict
    mab     
    dot1x pae authenticator
    spanning-tree portfast
    spanning-tree bpduguard enable
    snmp-server community ISE-Test RO
    snmp-server community ISE-Test1 RW
    snmp-server trap-source FastEthernet0/24
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
    radius-server vsa send accounting
    radius-server vsa send authentication
    Thank you in advanced! I hope that this issue might be intersting!
    Martin

    Can you confirm that you have the following syntax in your NAD:
    aaa server radius dynamic-author
    client 192.168.98.10 server-key AAA_Secret
    Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
    Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x

  • Cisco ISE Local Web Authentication via Switch

    Hello,
    I have Cisco ISE 1.2 and I need local webauthentication for clients.
    I want to send webauthentication link via switch.
    I made a research for it but I meet ACS documents :
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/WebAuth/WebAuth_Dep_Guide.html#wp393321
    and ISE central webauthentication documents for it.
    Is there local webauth in ISE via switch?
    Thanks,
    Alparslan

    Hello Alparslan,
    Please check the following link,
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

  • [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

    Hi everyone,
    After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
    Let me show you what I have,
    interface GigabitEthernet1/0/3
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     trust device cisco-phone
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    ############################################# switch model - 3850 ##################################################
    SW1#sh mac address-table interface GigabitEthernet1/0/3
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    SW1#sh dot1x interface Gi1/0/3
    Dot1x Info for GigabitEthernet1/0/3
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
    ############################################# Different switch model - 2960 ##################################################
    interface GigabitEthernet1/0/1
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     srr-queue bandwidth share 1 30 35 5
     priority-queue out
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     mls qos trust device cisco-phone
     mls qos trust cos
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
     SW1#$cation sessions interface GigabitEthernet1/0/1
                Interface:  GigabitEthernet1/0/1
              MAC Address:  xxxx.xxxx.4a38
               IP Address:  172.18.1.170
                User-Name:  xx-xx-xx-xx-4A-38
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A18129D000060E39DAE8A8A
          Acct Session ID:  0x0000725D
                   Handle:  0x0F00028C
    Runnable methods list:
           Method   State
           mab      Authc Success
           Switch Ports Model              SW Version            SW Image                                                                                             
         1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
     SW2#sh dot1x interface Gi1/0/1
    Dot1x Info for GigabitEthernet1/0/1
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Am I doing something wrong?
    BR,

    I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
    Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
    Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
    Thank you for rating helpful posts!

  • AD Machine Authentication with Cisco ISE problem

    Hi Experts,
    I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
    Authentication policy:
    Allowed protocol = PEAP & TLS
    Authorization Policy:
    Condition for computer to be checked in external identity store (AD) = Permit access
    Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
    All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
    Switchport configuration:
    ===============================================
    ip access-list extended ACL-DEFAULT
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    permit ip any host (AD)
    permit icmp any any
    permit ip any host (ISE-1)
    permit ip any host  (ISE-2)
    permit udp any host (CUCM-1) eq tftp
    permit udp any host (CUCM-2)eq tftp
    deny ip any any
    ===============================================
    switchport config
    ===============================================
    Switchport Access vlan 10
    switchport mode access
    switchport voice vlan 20
    ip access-group ACL-DEFAULT in
    authentication open
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication timer inactivity 180
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 100
    ====================================================
    One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
    Your help will highly appreciated.
    Regards,

    You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
    I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
    I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

  • Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay

    Hi,
    We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating  via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
    We have three different switches at the moment with the latest IOS version.
    1) WS-C4507R-E    =  15.1(2)SG,
    2) WS-C3560-48PS = 12.2(55)SE7
    3) WS-C3750X-24P = 15.0(2)SE1
    Could you anyone pitch the idea? or advise about the latest IOS for the switches.
    Let me know, if you need more information.
    Thanks,
    Regards,
    Mubahser

    It seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
    It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server.

Maybe you are looking for