ISE mab authentication with Avaya/Nortel switches
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
Could this be an issues with the username/password format in the Radius packet from the Cisco?
Thanks in advance for any assistance.
-Kurt
As requested...
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCuc22732
MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.
Similar Messages
-
ISE Web Authentication with Profile
Hi,
I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
the Web Authentication cause the endpoint is already in the internal endpoint store.
What's the better way to solve this problem ?
Thanks in Advanced
Andre Gustavo LomonacoHi Neno, let me clarify my question
I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication. -
ISE MAB authentication license usage
Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
Thanks,Hello-
Please take a look at the following link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license.
Hope this helps!
Thank you for rating helpful posts! -
IAS authentication with 200 series switches based on MAC addresses
Hi,
I try to implement a solution based on a 2003-Server with IAS and a switch (from the 200 series) just to authenticate machines with their MAC addresses.
I think the config on the switch is ok but I'm facing questions about parameters to put in IAS...
Can someone help me or give me a link to a good document that explains the 'how-to'?
Many thanksI have just done some more testing.
I added the authentication mac-move permit command to the switch and it now almost works as expected.
The scenarios now are:
Machine without dot1x supplicant plugged into phone, when unplugged the switch immediately deletes the mac address from the port.
Machine with dot1x supplied plugged into phone, exactly the same.
Machine without dot1x plugged directly into port exactly the same
Machine with dot1x plugged directly into port exactly the same.
The problem is if someone has a machine running a dot1x supplicant and hosting a VM.
In that case as long as you move to a different port on the same switch it works fine (as the workstation reconnects the mac-move process works).
If you move this machine from one switch to another with the IP phone installed. the de-auth message removes the VM or the host from the original switch mac table and leaves one of the old addresses behind.
I suppose a solution would be to ban all VMs but that won't go down well.
I don't want to change the authentication method as we will have machines without a supplicant that need to connect to resources (i.e. using mab)
Thanks for your help (and a faster reply than my support company who still haven't rung me back).
Giles -
Nortel switches authenticating to both ACS via RADIUS
Dual ACS solution (4.2) with one ACS doing the authenticating, the other acting as a standby.
Recently when accessing nortel switches, they authenticate to both ACS, as some are going to ACS2 despite their primary RADIUS server being ACS1.
The ACS solution has other network devices, using TACACS+ and they seem fine. DB replication is fine between the ACS and nothing I believe has changed in the configuration between the two.
Any ideas? (all I can think is the response from ACS1 is exceeding the timeout and the switches then select ACS2, but there's no evidence to suggest a problem in network delay).I am unfamiliar with the Nortel switches. If a cisco switch queries a AAA server and it fails to respond, it will mark it as dead and move to the next. When the AAA server is back online, the switch will not revert to the previous server. It will remain on the current AAA server until AAA is disabled or the current AAA server fails to respond.
Network delay would cause this. Maybe the services were disabled or replication was occuring while the device was trying to authenticate.
Thank You,
Dan Laden -
ESW 520 802.1x MAB authentication problem
Hello,
I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
Radius authentication failed for USER: aa1effbb8fd4 MAC: aa-1E-FF-bb-8F-D4 AUTHTYPE: Radius authentication failed
RADIUS Status:Authentication failed : 11509 Access Service does not allow any EAP protocols
15004 Matched rule
15012 Selected Access Service - MAB
11507 Extracted EAP-Response/Identity
11509 Access Service does not allow any EAP protocols
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
For that Access Service I have configured only Host Lookup.
The same ACS configuration is working perfectly on Catalyst 3560G switche.
It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
Do you have any idea what can be the problem.Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
Also can you post the port configuration and the show ver of the ESW?
Thanks,
Tarik Admani
*Please rate helpful posts* -
Authentication with MS-IAS / AD
I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS: authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS: User-Name [1] 17 "EUROPE\ParisAdm"
Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS: Service-Type [6] 6 Framed [2]
Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS: Framed-MTU [12] 6 1500
Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS: Called-Station-Id [30] 19 "00-24-51-55-47-84"
Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS: Calling-Station-Id [31] 19 "00-14-22-BF-46-40"
Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS: EAP-Message [79] 22
Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS: 02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D [ EUROPE\ParisAdm]
Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS: Message-Authenticato[80] 18
Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS: 27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4 [ '5Li:q]
Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS: Vendor, Cisco [26] 49
Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE030000006B13A4833C"
Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port [5] 6 50004
Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/4"
Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-IP-Address [4] 6 192.168.254.3
Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS: authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Thx for your help
PascalYou need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
Sent from Cisco Technical Support iPad App -
Cisco ISE 1.3 MAB authentication.. switch drop packet
Hello All,
I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
and ISE 1.3 versoin..
MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
while some ports are working perfectly..
Same switch configuration is working perfectly on another switch without any issue..
Switch configuration for your suggestion..!!
aaa new-model
aaa authentication fail-message ^C
**** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
^C
aaa authentication login CONSOLE local
aaa authentication login ACS group tacacs+ group radius local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+ group radius
aaa server radius dynamic-author
client 172.16.95.x server-key 7 02050D480809
client 172.16.95.x server-key 7 14141B180F0B
aaa session-id common
clock timezone IST 5 30
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name EVS.com
ip device tracking
epm logging
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip tacacs source-interface Vlan10
ip radius source-interface Vlan10 vrf default
logging trap critical
logging origin-id ip
logging 172.16.5.95
logging host 172.16.95.x transport udp port 20514
logging host 172.16.95.x transport udp port 20514
snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
snmp-server view EVS-view internet included
snmp-server community S1n2M3p4$ RO
snmp-server community cisco RO
snmp-server trap-source Vlan10
snmp-server source-interface informs Vlan10
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
--More-- snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.95.x version 2c cisco
snmp-server host 172.16.5.x version 3 auth evsnetadmin
tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
tacacs-server directed-request
--More-- tacacs-server key 7 107D580E573E411F58277F2360
tacacs-server administration
radius-server attribute 6 on-for-login-auth
radius-server attribute 25 access-request include
radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
radius-server timeout 2
radius-server key 7 060506324F41
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication CONSOLE
line vty 0 4
access-class telnet_access in
exec-timeout 0 0
logging synchronous
--More-- login authentication ACS
transport input ssh24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB
Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
Mac Address Table
Vlan Mac Address Type Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Switch Ports Model SW Version SW Image Mode
* 1 56 WS-C3850-48P 03.03.03SE cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: xxxx.xxxx.4a38
IP Address: 172.18.1.170
User-Name: xx-xx-xx-xx-4A-38
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A18129D000060E39DAE8A8A
Acct Session ID: 0x0000725D
Handle: 0x0F00028C
Runnable methods list:
Method State
mab Authc Success
Switch Ports Model SW Version SW Image
1 28 WS-C2960X-24PS-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 4
TxPeriod = 30
Am I doing something wrong?
BR,I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts! -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
AD Machine Authentication with Cisco ISE problem
Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy. -
Hello
We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD). Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
http://technet.microsoft.com/en-us/library/cc772007.aspx
Thanks,
Tarik Admani
*Please rate helpful posts* -
Apple macosx machine authentication with ISE using EAP-TLS
Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo NovaisAdditional information from the above question.
I have the following setup;
ACS 3.2(3) built 11 appliance
-Cisco AP1200 wireless access point
-Novell NDS to be used as an external database
-Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
-Windows XP SP2 Client
My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
Please help...
Thanks -
Guest Authentication With Accountability! -HELP CMX vs ISE?
HI,
We currently are in the procurement stage of an upgrade to our wireless solution but are facing a business requirements that hopefully you guys will be able to help with:-
Guest authentication with some way of checking the guests are who they say they are (this is for accountability purposes)
for example we would like something such as a guest logon portal with multiple ways to logon that provides us a credible source of identification for the guests (social media logons, email generated passwords to a valid email account, SMS generated passwords to a valid mobile phone number)
The above would be much more favorable than the standard web portal / lobby admin access where people could give a bogus name to the lobby admin over the phone.
We have been recommended cisco's CMX, this seems good on the face of it as it is able to integrate with a few social media platforms but can we set the ability to generate emails and SMS messages with this?
ISE is also another platform we are trying to be sold but I dont think this really addresses the above business requirement.
Can anyone offer any advise?
ThanksNeither. Look at PurpleWiFi or Nomadix.
-
Cisco 2960S FPS-L PoE switch with Avaya 9811g VOIP setup
Hello,
I am connecting a setup for data/voice connecting Catalyst 2960S-FPS-L PoE switch with Avaya 9811g series VOIP phone. As per my knowledge cisco switch works well with Cisco phone as it has got some builtin "Macros" and Intelligent PoE recognition when we connect device getting the details of another device through CDP. I understand I have to create data and voice vlan with QOS then enable trunking on the interface to other switch that is also 2960. Little confuse if is there any compatibility issues with Switch and Avaya phone regarding protocol/data/voice...?
Do I have to do PoE config for each port on the each interface?
any help or detail config will help.
Thanks in advance.Hi I am back after good research. created two vlan data and voice with trunk on interface1/0/48 given below config..
connection b/w 2960s FPS Switch and Avaya 9611g IP Phone.
lldp/cdp is enable on switch
So I created this config if some one can take a look .
expert advise if something wrong?..
I am only concern with Voice and PoE as voice is my priority. do i have to map something for voice quality?
also if i create another Trunk port one allow voice other allow data both cable will go to switch will that be issue?
interface....
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport voice vlan xx
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
interface ........
switchport trunk allowed vlan x,x
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
Maybe you are looking for
-
JDK 1.3.1 Problem with Pentium 4....
I have same porblems with JDK 1.3.1 . The same configuration on to computers: Borland JBuilder and JDK1.3.1 On Pentium 3 and WIN2K it run fine, but on Pentium 4 and XP it can not run... Avry sing that i do with java or javaw i have error...
-
Hello XI Experts Could anyone please provide more information about how to use the Batch mode in JDBC adapter. I would be sending about 200,000 records from abap proxy to oracle. Is it better to adopt the batch mode approach or the splitting of data
-
Opening Indesign file triggers random document opens
I am working in Indesign CC 2014 am having a particularly odd glitch when opening documents, where, on opening they seem to trigger the opening of other Indesign documents without me even clicking anywhere - let alone wanting to open them in the firs
-
Hi, I am new to EP in our trainning schedule we are going with ESS & MSS business packages.Can anyone explain me about these packages and about HomePage Framework in detail and any material regarding ESS&MSS aswell as, HomePage Framework and how impo
-
Digital Signature update after new documents created on customizing
Hello, Is there any standard report to update old document with signature after new changes on SIPT_NUMBR_SD_V which added new document types? I mean, if we move to live system today 2 new number ranges for billing types, the new invoices created wil