ISE mab authentication with Avaya/Nortel switches

Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
Could this be an issues with the username/password format in the Radius packet from the Cisco?
Thanks in advance for any assistance.
-Kurt

As requested...
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

Similar Messages

  • ISE Web Authentication with Profile

       Hi,
       I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
       The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
       But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
       the Web Authentication cause the endpoint is already in the internal endpoint store.
       What's the better way to solve this problem ?
       Thanks in Advanced
       Andre Gustavo Lomonaco

        Hi Neno, let me clarify my question
        I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
        Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

  • ISE MAB authentication license usage

    Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
    I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
    Thanks,

    Hello-
    Please take a look at the following link:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
    So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
    Hope this helps!
    Thank you for rating helpful posts!

  • IAS authentication with 200 series switches based on MAC addresses

    Hi,
    I try to implement a solution based on a 2003-Server with IAS and a switch (from the 200 series) just to authenticate machines with their MAC addresses.
    I think the config on the switch is ok but I'm facing questions about parameters to put in IAS...
    Can someone help me or give me a link to a good document that explains the 'how-to'?
    Many thanks

    I have just done some more testing.
    I added the authentication mac-move permit command to the switch and it now almost works as expected.
    The scenarios now are:
    Machine without dot1x supplicant plugged into phone, when unplugged the switch immediately deletes the mac address from the port.
    Machine with dot1x supplied plugged into phone, exactly the same.
    Machine without dot1x plugged directly into port exactly the same
    Machine with dot1x plugged directly into port exactly the same.
    The problem is if someone has a machine running a dot1x supplicant and hosting a VM.
    In that case as long as you move to a different port on the same switch it works fine (as the workstation reconnects the mac-move process works).
    If you move this machine from one switch to another with the IP phone installed. the de-auth message removes the VM or the host from the original switch mac table and leaves one of the old addresses behind.
    I suppose a solution would be to ban all VMs but that won't go down well.
    I don't want to change the authentication method as we will have machines without a supplicant that need to connect to resources (i.e. using mab)
    Thanks for your help (and a faster reply than my support company who still haven't rung me back).
    Giles

  • Nortel switches authenticating to both ACS via RADIUS

    Dual ACS solution (4.2) with one ACS doing the authenticating, the other acting as a standby.
    Recently when accessing nortel switches, they authenticate to both ACS, as some are going to ACS2 despite their primary RADIUS server being ACS1.
    The ACS solution has other network devices, using TACACS+ and they seem fine. DB replication is fine between the ACS and nothing I believe has changed in the configuration between the two.
    Any ideas? (all I can think is the response from ACS1 is exceeding the timeout and the switches then select ACS2, but there's no evidence to suggest a problem in network delay).

    I am unfamiliar with the Nortel switches. If a cisco switch queries a AAA server and it fails to respond, it will mark it as dead and move to the next. When the AAA server is back online, the switch will not revert to the previous server. It will remain on the current AAA server until AAA is disabled or the current AAA server fails to respond.
    Network delay would cause this. Maybe the services were disabled or replication was occuring while the device was trying to authenticate.
    Thank You,
    Dan Laden

  • ESW 520 802.1x MAB authentication problem

    Hello,
    I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
    The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
    Radius authentication failed for USER: aa1effbb8fd4  MAC: aa-1E-FF-bb-8F-D4  AUTHTYPE:  Radius authentication failed
    RADIUS Status:Authentication failed    : 11509 Access Service does not allow any EAP protocols
    15004  Matched rule
    15012  Selected Access Service - MAB
    11507  Extracted EAP-Response/Identity
    11509  Access Service does not allow any EAP protocols
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    For that Access Service I have configured only Host Lookup.
    The same ACS configuration is working perfectly on Catalyst 3560G switche.
    It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
    Do you have any idea what can be the problem.

    Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
    Also can you post the port configuration and the show ver of the ESW?
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Authentication with MS-IAS / AD

    I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
    The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
    I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
    Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
    Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
    Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS:  authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
    Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS:  User-Name           [1]   17  "EUROPE\ParisAdm"
    Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS:  Framed-MTU          [12]  6   1500                     
    Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS:  Called-Station-Id   [30]  19  "00-24-51-55-47-84"
    Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS:  Calling-Station-Id  [31]  19  "00-14-22-BF-46-40"
    Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS:  EAP-Message         [79]  22 
    Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS:   02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D   [ EUROPE\ParisAdm]
    Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS:  Message-Authenticato[80]  18 
    Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS:   27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4            [ '5Li:q]
    Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS:  Vendor, Cisco       [26]  49 
    Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE030000006B13A4833C"
    Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port            [5]   6   50004                    
    Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/4"
    Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.3            
    Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
    Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS:  authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
    Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
    Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
    Thx for your help
    Pascal

    You need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
    Sent from Cisco Technical Support iPad App

  • Cisco ISE 1.3 MAB authentication.. switch drop packet

    Hello All,
    I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
    and ISE 1.3 versoin..
    MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
    while some ports are working perfectly..
    Same switch configuration is working perfectly on another switch without any issue..
    Switch configuration for your suggestion..!!
    aaa new-model
    aaa authentication fail-message ^C
    **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
    ^C
    aaa authentication login CONSOLE local
    aaa authentication login ACS group tacacs+ group radius local
    aaa authentication dot1x default group radius
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+ group radius
    aaa server radius dynamic-author
     client 172.16.95.x server-key 7 02050D480809
     client 172.16.95.x server-key 7 14141B180F0B
    aaa session-id common
    clock timezone IST 5 30
    system mtu routing 1500
    ip routing
    no ip domain-lookup
    ip domain-name EVS.com
    ip device tracking
    epm logging
    dot1x system-auth-control
    interface FastEthernet0/1
     switchport access vlan x
     switchport mode access
     switchport voice vlan x
     authentication event fail action next-method
     --More--         authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip tacacs source-interface Vlan10
    ip radius source-interface Vlan10 vrf default
    logging trap critical
    logging origin-id ip
    logging 172.16.5.95
    logging host 172.16.95.x transport udp port 20514
    logging host 172.16.95.x transport udp port 20514
    snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
    snmp-server view EVS-view internet included
    snmp-server community S1n2M3p4$ RO
    snmp-server community cisco RO
    snmp-server trap-source Vlan10
    snmp-server source-interface informs Vlan10
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
     --More--         snmp-server enable traps tty
    snmp-server enable traps cluster
    snmp-server enable traps entity
    snmp-server enable traps cpu threshold
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps flash insertion removal
    snmp-server enable traps port-security
    snmp-server enable traps envmon fan shutdown supply temperature status
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps bridge newroot topologychange
    snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
    snmp-server enable traps syslog
    snmp-server enable traps mac-notification change move threshold
    snmp-server enable traps vlan-membership
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.5.x version 3 auth evsnetadmin
    tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
    tacacs-server directed-request
     --More--         tacacs-server key 7 107D580E573E411F58277F2360
    tacacs-server administration
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 25 access-request include
    radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
    radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
    radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
    radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
    radius-server timeout 2
    radius-server key 7 060506324F41
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
     exec-timeout 5 0
     privilege level 15
     logging synchronous
     login authentication CONSOLE
    line vty 0 4
     access-class telnet_access in
     exec-timeout 0 0
     logging synchronous
     --More--         login authentication ACS
     transport input ssh

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

    Hi everyone,
    After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
    Let me show you what I have,
    interface GigabitEthernet1/0/3
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     trust device cisco-phone
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    ############################################# switch model - 3850 ##################################################
    SW1#sh mac address-table interface GigabitEthernet1/0/3
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    SW1#sh dot1x interface Gi1/0/3
    Dot1x Info for GigabitEthernet1/0/3
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
    ############################################# Different switch model - 2960 ##################################################
    interface GigabitEthernet1/0/1
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     srr-queue bandwidth share 1 30 35 5
     priority-queue out
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     mls qos trust device cisco-phone
     mls qos trust cos
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
     SW1#$cation sessions interface GigabitEthernet1/0/1
                Interface:  GigabitEthernet1/0/1
              MAC Address:  xxxx.xxxx.4a38
               IP Address:  172.18.1.170
                User-Name:  xx-xx-xx-xx-4A-38
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A18129D000060E39DAE8A8A
          Acct Session ID:  0x0000725D
                   Handle:  0x0F00028C
    Runnable methods list:
           Method   State
           mab      Authc Success
           Switch Ports Model              SW Version            SW Image                                                                                             
         1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
     SW2#sh dot1x interface Gi1/0/1
    Dot1x Info for GigabitEthernet1/0/1
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Am I doing something wrong?
    BR,

    I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
    Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
    Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
    Thank you for rating helpful posts!

  • Not Working-central web-authentication with a switch and Identity Service Engine

    on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
    I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
    The interface configuration looks like this:
    interface FastEthernet0/24
    switchport access vlan 6
    switchport mode access
    switchport voice vlan 20
    ip access-group webauth in
    authentication event fail action next-method
    authentication event server dead action authorize
    authentication event server alive action reinitialize
    authentication order mab
    authentication priority mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    spanning-tree portfast
    end
    The ACL's
    Extended IP access list webauth
        10 permit ip any any
    Extended IP access list redirect
        10 deny ip any host 172.22.2.38
        20 permit tcp any any eq www
        30 permit tcp any any eq 443
    The ISE side configuration I follow it step by step...
    When I conect the XP client, e see the following Autenthication session...
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
               Interface:  FastEthernet0/24
              MAC Address:  0015.c549.5c99
               IP Address:  172.22.3.184
                User-Name:  00-15-C5-49-5C-99
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC16011F000000490AC1A9E2
          Acct Session ID:  0x00000077
                   Handle:  0xB7000049
    Runnable methods list:
           Method   State
           mab      Authc Success
    But there is no redirection, and I get the the following message on switch console:
    756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
    756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    I have to mention I'm using an http proxy on port 8080...
    Any Ideas on what is going wrong?
    Regards
    Nuno

    OK, so I upgraded the IOS to version
    SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
    I tweak with ACL's to the following:
    Extended IP access list redirect
        10 permit ip any any (13 matches)
    and created a DACL that is downloaded along with the authentication
    Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
        10 permit ip any any
    I can see the epm session
    swlx0x0x#show epm session ip 172.22.3.74
         Admission feature:  DOT1X
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
    And authentication
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
         Interface:  FastEthernet0/24
         MAC Address:  0015.c549.5c99
         IP Address:  172.22.3.74
         User-Name:  00-15-C5-49-5C-99
         Status:  Authz Success
         Domain:  DATA
         Oper host mode:  multi-auth
         Oper control dir:  both
         Authorized By:  Authentication Server
         Vlan Group:  N/A
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
         Session timeout:  N/A
         Idle timeout:  N/A
         Common Session ID:  AC16011F000000160042BD98
         Acct Session ID:  0x0000001B
         Handle:  0x90000016
         Runnable methods list:
         Method   State
         mab      Authc Success
    on the logging, I get the following messages...
    017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
    017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
    017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
    017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
    017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
    017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
    What I'm I missing?

  • AD Machine Authentication with Cisco ISE problem

    Hi Experts,
    I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
    Authentication policy:
    Allowed protocol = PEAP & TLS
    Authorization Policy:
    Condition for computer to be checked in external identity store (AD) = Permit access
    Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
    All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
    Switchport configuration:
    ===============================================
    ip access-list extended ACL-DEFAULT
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    permit ip any host (AD)
    permit icmp any any
    permit ip any host (ISE-1)
    permit ip any host  (ISE-2)
    permit udp any host (CUCM-1) eq tftp
    permit udp any host (CUCM-2)eq tftp
    deny ip any any
    ===============================================
    switchport config
    ===============================================
    Switchport Access vlan 10
    switchport mode access
    switchport voice vlan 20
    ip access-group ACL-DEFAULT in
    authentication open
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication timer inactivity 180
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 100
    ====================================================
    One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
    Your help will highly appreciated.
    Regards,

    You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
    I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
    I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

  • ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

    Hello
    We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
    Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
    Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

    Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
    Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
    http://technet.microsoft.com/en-us/library/cc772007.aspx
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Apple macosx machine authentication with ISE using EAP-TLS

    Hello,
    On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
    With windows machines all is working well. We are using computer authentication only.
    Now the problem is that we wish to do the same with MAC OSX machines.
    We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
    in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
    When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
    The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
    Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
    Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
    Thanks
    Gustavo Novais

    Additional information from the above question.
    I have the following setup;
    ACS 3.2(3) built 11 appliance
    -Cisco AP1200 wireless access point
    -Novell NDS to be used as an external database
    -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
    -Windows XP SP2 Client
    My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
    Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
    When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
    Please help...
    Thanks

  • Guest Authentication With Accountability! -HELP CMX vs ISE?

    HI, 
    We currently are in the procurement stage of an upgrade to our wireless solution but are facing a  business requirements that hopefully you guys will be able to help with:-
    Guest authentication with some way of checking the guests are who they say they are (this is for accountability purposes)
    for example we would like something such as a guest logon portal with multiple ways to logon that provides us a credible source of identification for the guests (social media logons, email generated passwords to a valid email account, SMS generated passwords to a valid mobile phone number)
    The above would be much more favorable than the standard web portal / lobby admin access where people could give a bogus name to the lobby admin over the phone.
    We have been recommended cisco's CMX, this seems good on the face of it as it is able to integrate with a few social media platforms but can we set the ability to generate emails and SMS messages with this?
    ISE is also another platform we are trying to be sold but I dont think this really addresses the above business requirement.
    Can anyone offer any advise? 
    Thanks 

    Neither.  Look at PurpleWiFi or Nomadix.

  • Cisco 2960S FPS-L PoE switch with Avaya 9811g VOIP setup

    Hello,
    I am connecting a setup for data/voice connecting Catalyst 2960S-FPS-L PoE switch with Avaya 9811g series VOIP phone. As per my knowledge cisco switch works well with Cisco phone as it has got some builtin "Macros" and Intelligent PoE recognition when we connect device getting the details of another device through CDP. I understand I have to create data and voice vlan with QOS then enable trunking on the interface to other switch that is also 2960. Little confuse if is there any compatibility issues with Switch and Avaya phone regarding protocol/data/voice...?
    Do I have to do PoE config for each port on the each interface?
    any help or detail config will help.
    Thanks in advance.

    Hi I am back after good research. created two vlan data and voice with trunk on interface1/0/48 given below config..
    connection b/w 2960s FPS Switch and Avaya 9611g IP Phone.
    lldp/cdp is enable on switch
    So I created this config if some one can take a look .
    expert advise if something wrong?..
    I am only concern with Voice and PoE as voice is my priority. do i have to map something for voice quality?
    also if i create another Trunk port one allow voice other allow data both cable will go to switch will that be issue?
    interface....
    switchport access vlan x
    switchport mode access
    switchport nonegotiate
    switchport voice vlan xx
    srr-queue bandwidth share 10 10 60 20
    queue-set 2
    priority-queue out
    mls qos trust cos
    auto qos voip trust
    spanning-tree portfast
    interface ........
    switchport trunk allowed vlan x,x
    switchport mode trunk
    switchport nonegotiate
    srr-queue bandwidth share 10 10 60 20
    queue-set 2
    priority-queue out
    mls qos trust cos
    auto qos voip trust

Maybe you are looking for

  • JDK 1.3.1 Problem with Pentium 4....

    I have same porblems with JDK 1.3.1 . The same configuration on to computers: Borland JBuilder and JDK1.3.1 On Pentium 3 and WIN2K it run fine, but on Pentium 4 and XP it can not run... Avry sing that i do with java or javaw i have error...

  • Batch mode on JDBC adapter

    Hello XI Experts Could anyone please provide more information about how to use the Batch mode in JDBC adapter.  I would be sending about 200,000 records from abap proxy to oracle. Is it better to adopt the batch mode approach or the splitting of data

  • Opening Indesign file triggers random document opens

    I am working in Indesign CC 2014 am having a particularly odd glitch when opening documents, where, on opening they seem to trigger the opening of other Indesign documents without me even clicking anywhere - let alone wanting to open them in the firs

  • About ESS & MSS Packages

    Hi, I am new to EP in our trainning schedule we are going with ESS & MSS business packages.Can anyone explain me about these packages and about HomePage Framework in detail and any material regarding ESS&MSS aswell as, HomePage Framework and how impo

  • Digital Signature update after new documents created on customizing

    Hello, Is there any standard report to update old document with signature after new changes on SIPT_NUMBR_SD_V which added new document types? I mean, if we move to live system today 2 new number ranges for billing types, the new invoices created wil