ISE MAB Host Lookup - PAP or EAP-MD5

In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
Thank you.
Cath.

Hello Cath-
Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
     interface fa0/1
     mab eap
Things to conisider:
     1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
     2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
     3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
Here is a good document that you can reference as well:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
Hope this helps...
Thank you for rating!

Similar Messages

  • ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

    Hello Community,
    i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly  PEAP (EAP-MSCHAPv2)   requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
    What is the Problem here ?
    Thanks

    Hello Sebastian. A few questions:
    - How is the supplicant configured on the Windows machines?
    - Is 802.1x enabled on the supplicant?
    - If possible please attach screenshots of the supplicant's configuration
    - Is this for wireless, wired or both?
    - Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
    Thank you for rating helpful posts!

  • ISE 1.2 and EAP-MD5

    Hi,
    I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
    We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
    The ISE deployemnt do not run in FIPS-140 2 mode.
    And when using the switch with NPS we get this to work, so switch configuration is ok.
    Failure Reason:  12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
    Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
    Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
    Any thoughts on this?
    Cheers

    Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
    Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
    Save the Allowed Protocol service.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE MAB is not Triggered for Linux Host

    Hello,
    We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
    If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
    As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
    The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
    IP device tracking is enabled, but again this did not change anything
    Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet  , there may be some
    solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
    The port configuration is:
    switchport access vlan 98
    switchport mode access
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 97
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    Thanks in Advance,
    Best Regards,

    Hi Ravi,
    Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
    What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
    As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
    As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
    Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script)  that can be enabled.
    Best Regards,

  • Authentication with EAP-MD5/PEAP/FAST

    Version: ISE 1.2p12
    Hello,
    I have trouble authenticating devices that use different protocols:
    - Cisco IP Phones: EAP-MD5
    - Windows machines: EAP-PEAP
    - Cisco APs: EAP-FAST
    1) I'm able to authenticate the IP Phones individually with a authentication rule:
    IP PHONES If Wired_802.1X allowed protocols EAP-MD5
    For EAP-MD5 I selected only EAP-MD5
    Now if I use a generic rule
    DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
    with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
    ISE says that there's a protocol mismatch:
    "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
    ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
    I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
    2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
    Does any of you have hints ?

    I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
    You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
    For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
    Kind regards
    Alex

  • Host lookup with full domain fails

    Hi,
    we have a couple of Macs that live in a Windows Active Directory domain. They are not part of the domain (i.e. joined), but they get their DHCP config from the Active Directory Controller (ADC). The active directory has the name "company.local" (in reallife the company name dot local).
    Since updating to Yosemite we have found that host lookups using the full domain name no longer works, example:
    # This work
    ping wifi-controller
    # This doesn't work
    ping wifi-controller.company.local
    The main problem with this is that all links on the intranet (that are using FQDN) is now broken for Mac users...
    # Doing name lookups with host both works
    # 192.168.x.y is the ADC
    host wifi-controller 192.168.x.y
    host wifi-controller.company.local 192.168.x.y
    The ADC gives out the domain name "company.local" and itself as DNS.
    I have cleared out all manually entered entries in Network Control Panel and the search domain and DNS server listed are not possible to delete from the list. No WINS entered. On the first "page" of the Network panel, DNS and domain is displayed in gray under the DHCP info picked up.
    Any help greatly appreciated,
    /Mattias

    Greetings,
    the ADC needs needs to have dns records for itself and for any client wishing to bind to it.
    I would start by checking the AD machine and make sure his dns is working, and have the clients use the same.
    Verify NTP settings on both.
    hope this helps.

  • NPS & EAP-MD5

    Hi there,
    We are currently working on the deployment of 802.1x enterprise-wide.  Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.
    When we tested it prior, we were running Windows 2003 + IAS.  The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable.  We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.
    I've just finished setting that up, and it works perfect.  We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers).  We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work.  After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008.  They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.
    My question is, has anyone else ran into this problem?  If so, how did you go about fixing it.  Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches.  I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.
    Thanks!
    Warren 

    Hi PCGUY1184,
    I am trying to get Mitel phones working with 802.1X, I have enabled MD5 and made the other changes you propose but its still not working. The event log is showing eventid 6274
    Network Policy Server discarded the request for a user.
    Contact the Network Policy Server administrator for more information.
    User:
     Security ID:   NULL SID
     Account Name:   Mitel8021X
     Account Domain:   #Domain Removed#
     Fully Qualified Account Name: #Domain Removed#\Mitel8021X
    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  -
     Calling Station Identifier:  08-00-0F-5D-87-1A
    NAS:
     NAS IPv4 Address:  192.168.202.1
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Ethernet
     NAS Port:   11
    RADIUS Client:
     Client Friendly Name:  Nortel5520
     Client IP Address:   192.168.202.1
    Authentication Details:
     Connection Request Policy Name: Secure Wired Connections
     Network Policy Name:  -
     Authentication Provider:  Windows
     Authentication Server:  #NPS Server FQDN# 
     Authentication Type:  -
     EAP Type:   -
     Account Session Identifier:  -
     Reason Code:   1
     Reason:    An internal error occurred. Check the system event log for additional information.
    Did you come accross this problem? I saw a hotfix available for 2008R2 for EAP-MD5 where the name field is empty however the hotfix wont install as I believe I already have a newer version of raschap.dll
    Regards,
    Craig

  • PEAP + EAP-MD5

    I've read that with the ACS 3.1 the only eap-type supported with PEAP is GTC.
    Why it is not possible to use EAP-MD5 or EAP-TLS with PEAP? These EAP-type were already supported in ACS 3.0...
    Thanks for your time.

    As per my knowledge,Peap uses TLS protocol also to authenticate.
    PEAP works in the following way:PEAP operates in two steps. The first step is the server authentication and second one is user authentication using a new EAP type .
    PEAP uses TLS to authenticate the network infrastructure through the TLS Handshake protocol, to protect user credentials in transit by means of the TLS Record Protocol, and to generate cryptographic keying material using the TLS-defined pseudo-random function (PRF) functionality.
    For information on this you can follow the URLs,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217f.html#4907
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102179.html
    http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/acsq_qp.htm

  • Using Windows 802.1x whith EAP-MD5 on Aironet 350 Adapter

    Hello all,
    I'm trying to use EAP-MD5 as the authentication mechanism with my Aironet Card and the Microsoft 802.1x stack under Win2K. Unfortunately, this choice is not possible while I can do it with legacy LAN cards. According to CCO litterature, it is supposed to be supported. Did anyone manage to have this working ?
    Thanks in advance
    Cyril

    This is supported and it should work.
    Check out this information:
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg/win_ch6.htm#xtocid20

  • PEAP, EAP-TLS & EAP-MD5

    Hi
    Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

    Hello,
    There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
    Regards,
    Belal

  • EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?

    Hi,
    Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
    Thanks.

    So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
    Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
    One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

  • ISE, MAB issue

    I'm working with the following lab:
    ISE 1.1.3.124
    3560 running c3560-ipservicesk9-mz.122-55.SE
    Cisco AP (1131, 1231).
    I'm attempting MAB. The AP is being profiled correctly and I'm seeing successful authen and authz. But the device (AP/whatever) cannot pickup a DHCP address. If I manually assign an IP, then no traffic flows through the switchport. DHCP works fine for ports with no security. The DACL is being applied and should permit the traffic - I've even tried a permit ip any any.
    I've attached the switch config and some ISE screenshots / logs.
    Some further details below.
    Thanks to anyone if you can nudge me in the right direction.
    ## switch dot1x debug
    %MAB-5-SUCCESS: Authentication successful for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
    3560-1#
    %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT APPLY
    %EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-REQUEST
    %EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-SUCCESS
    %EPM-6-IPEVENT: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT IP-WAIT
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
    3560-1#
    %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
    3560-1#sh authentication sessions int fa0/2
                Interface:  FastEthernet0/2
              MAC Address:  001b.2abc.5de0
               IP Address:  Unknown
                User-Name:  00-1B-2A-BC-5D-E0
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
                  ACS ACL:  xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  C0A863FE000001392E8FE236
          Acct Session ID:  0x00000180
                   Handle:  0xFC000139
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    3560-1#sh authentication method mab
    Interface  MAC Address     Method   Domain   Status         Session ID
    Fa0/2      001b.2abc.5de0  mab      DATA     Authz Success  C0A863FE000001392E8FE236
    3560-1#sh ip access-lists
    Standard IP access list 10
        10 permit 192.168.99.10 (9814 matches)
        20 deny   any log
    Extended IP access list ACL_DEFAULT
        10 permit udp any eq bootpc any eq bootps (71 matches)
        20 permit udp any any eq domain
        30 permit icmp any any
        40 permit udp any any eq tftp
        50 permit ip any host 192.168.99.10
        60 deny ip any any log
    Extended IP access list ACL_REDIRECT
        10 deny udp any eq bootpc any eq bootps
        20 deny udp any any eq domain
        30 deny ip any host 192.168.99.10
        40 permit tcp any any eq www
        50 deny ip any any
    Extended IP access list xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6 (per-user)
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit ip any host 192.168.99.224
        40 deny ip any any log

    It is nice to see that you find the resolution the command “ip  dncp snooping trust”   Validates DHCP messages received  from untrusted  sources and filters out invalid messages.

  • ISE mab authentication with Avaya/Nortel switches

    Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
    When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
    Could this be an issues with the username/password format in the Radius packet from the Cisco?
    Thanks in advance for any assistance.
    -Kurt

    As requested...
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
    chBugDetails&bugId=CSCuc22732
    MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
    The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

  • ISE AuthZ for Wireless Phones MIC EAP-TLS

    Hi all,
    Trying to authorise 7925G phones using MIC and EAP-TLS. My problem is that I can't seem to get the username in the MIC to match against an Internal Identity group on ISE AuthZ policies. If I remove the endpoint ID group I am able to auth no worries. Everything looks great including the username been in a specific User ID group but I just cannot get it to match a policy with this group selected (both as the ID Group and as an "Internal User:Identity Group" condition).
    Any ideas or is this just not possible?

    Out of curiousity why would you suggest MAB in this instance? These devices have MIC certs and are pretty much EAP-TLS ready out of the box? My problem simply lies with the apparent inability of ISE to match the Subject CN againt an internal group.

  • ISE 1.2 Guest Access for EAP(Dot1x) Authentication

    Hi.
    I want to use encryption for guest access. 
    In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
    (Specification of the WLC) 
    When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
    (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
    If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
    (Because the account has been revoked) 
    I want to make even dot1x this environment. 
    However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
    In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
    (Status of the WLC remains "Auth Yes") 
    (Session of the ISE remains "Started") 
    Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
    Thank you.

    Note:
    Cisco ISE:Version1.2.0.899-8
    Cisco WLC(5508):Version 7.6.120

Maybe you are looking for