ISE : MAB, SoA ...

Hello,
I'd like to implement Cisco ISE on my network so that 802.1x authentication will be operationnal.
When I give a look to this document : http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038
There's a lot of Catalyst 2950 on my network and I see that some features aren't supported on these devices : MAB, dACL, SGA.
What are the consequences of these non-supported technologies ? I've found out for instance that MAB was used to authenticate devices which doesnt allow or support 802.1x, so will the printers of my network still work ?
And what about dACL and SGA ? Are these features really useful or isn't it that bad if I can't use them ?
Thanks.

If you want to manage your limited investment you can follow a phased  implementation approach. Though it would be little laborious. You can  swap 2950 switches with 2960 or 3750 wherever you have devices like  printers. So you can connect your printers on either 2960 or 3750  switches only and PCs on 2950 switches. Then setup flexauth (MAB >  dot1x) order and priority as required, on those switches where printers  etc are connected. Jatin Katyal has righly suggested, I agree with him
With this approach, you can setup and enable all other features i.e.  profiling, client provisioning, CoA for certain identity groups which  are connected on supported switches (2960, 3750)
Note: Please make sure to review the IOS on your 2960 switches and  compare the same in “ISE Network Component Compatibility Document”

Similar Messages

  • ISE, MAB issue

    I'm working with the following lab:
    ISE 1.1.3.124
    3560 running c3560-ipservicesk9-mz.122-55.SE
    Cisco AP (1131, 1231).
    I'm attempting MAB. The AP is being profiled correctly and I'm seeing successful authen and authz. But the device (AP/whatever) cannot pickup a DHCP address. If I manually assign an IP, then no traffic flows through the switchport. DHCP works fine for ports with no security. The DACL is being applied and should permit the traffic - I've even tried a permit ip any any.
    I've attached the switch config and some ISE screenshots / logs.
    Some further details below.
    Thanks to anyone if you can nudge me in the right direction.
    ## switch dot1x debug
    %MAB-5-SUCCESS: Authentication successful for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
    3560-1#
    %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT APPLY
    %EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-REQUEST
    %EPM-6-AAA: POLICY xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6| EVENT DOWNLOAD-SUCCESS
    %EPM-6-IPEVENT: IP 0.0.0.0| MAC 001b.2abc.5de0| AuditSessionID C0A863FE000001392E8FE236| AUTHTYPE DOT1X| EVENT IP-WAIT
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
    3560-1#
    %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.2abc.5de0) on Interface Fa0/2 AuditSessionID C0A863FE000001392E8FE236
    3560-1#sh authentication sessions int fa0/2
                Interface:  FastEthernet0/2
              MAC Address:  001b.2abc.5de0
               IP Address:  Unknown
                User-Name:  00-1B-2A-BC-5D-E0
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
                  ACS ACL:  xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  C0A863FE000001392E8FE236
          Acct Session ID:  0x00000180
                   Handle:  0xFC000139
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    3560-1#sh authentication method mab
    Interface  MAC Address     Method   Domain   Status         Session ID
    Fa0/2      001b.2abc.5de0  mab      DATA     Authz Success  C0A863FE000001392E8FE236
    3560-1#sh ip access-lists
    Standard IP access list 10
        10 permit 192.168.99.10 (9814 matches)
        20 deny   any log
    Extended IP access list ACL_DEFAULT
        10 permit udp any eq bootpc any eq bootps (71 matches)
        20 permit udp any any eq domain
        30 permit icmp any any
        40 permit udp any any eq tftp
        50 permit ip any host 192.168.99.10
        60 deny ip any any log
    Extended IP access list ACL_REDIRECT
        10 deny udp any eq bootpc any eq bootps
        20 deny udp any any eq domain
        30 deny ip any host 192.168.99.10
        40 permit tcp any any eq www
        50 deny ip any any
    Extended IP access list xACSACLx-IP-LAB2-WLC-ONLY-5160b7f6 (per-user)
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit ip any host 192.168.99.224
        40 deny ip any any log

    It is nice to see that you find the resolution the command “ip  dncp snooping trust”   Validates DHCP messages received  from untrusted  sources and filters out invalid messages.

  • ISE MAB Host Lookup - PAP or EAP-MD5

    In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
    In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
    Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
    How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
    Thank you.
    Cath.

    Hello Cath-
    Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
    Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
         interface fa0/1
         mab eap
    Things to conisider:
         1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
    service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
         2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
         3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
    Here is a good document that you can reference as well:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
    Hope this helps...
    Thank you for rating!

  • ISE MAB is not Triggered for Linux Host

    Hello,
    We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
    If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
    As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
    The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
    IP device tracking is enabled, but again this did not change anything
    Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet  , there may be some
    solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
    The port configuration is:
    switchport access vlan 98
    switchport mode access
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 97
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    Thanks in Advance,
    Best Regards,

    Hi Ravi,
    Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
    What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
    As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
    As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
    Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script)  that can be enabled.
    Best Regards,

  • ISE mab authentication with Avaya/Nortel switches

    Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
    When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
    Could this be an issues with the username/password format in the Radius packet from the Cisco?
    Thanks in advance for any assistance.
    -Kurt

    As requested...
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
    chBugDetails&bugId=CSCuc22732
    MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
    The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.

  • ISE MAB to external Radius then MAB internal for Guest User auth

    Hello guys,
    we have the following requirements for our ISE Guest Access Deployment:
    We want to provide guest access but only to non Company Laptops. To check if the Laptop is company or a non company Laptop we have have all MAC Addresses in our ACS server. So in my understanding we have to to the following.
    Check the MAC Address against the External Radius Server (ACS)
    If Access-Accept returns -> Deny Access
    If Access-Deny returns -> Check MAC Address against Internal Endpoint Store
    If User not found -> Guestflow
    Right now i don´t no how i can sould design it but i need two Authentication Policys first for the redirect to the External Radius and then another one for check against internal Identity Endpoint Store. Am i right ? I don´t know if that is possible.
    Really thanks for your help!!
    Greetings
    Philip

    Let me ask you a quick question: Are all domain machines Windows and joined to AD?

  • ISE MAB authentication license usage

    Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
    I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
    Thanks,

    Hello-
    Please take a look at the following link:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
    So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
    Hope this helps!
    Thank you for rating helpful posts!

  • Ip phone and pc VLAN security issue - ISE 1.0

    Hello there.
    We are about to implement IP phones to our current network and during testing I have found 2 issues.
    1- ip phone connects to a protected port using ISE mab authentication for the data network.
    The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
    Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
    2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
    Let me know your thoughts...thanks
    Port config info....below
    interface GigabitEthernet0/2
    description Extra port by Camilos Desk
    switchport mode access
    switchport voice vlan 220
    srr-queue bandwidth share 1 30 35 5
    priority-queue out
    authentication event fail action next-method
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    mls qos trust cos
    snmp trap mac-notification change added
    auto qos trust
    spanning-tree portfast
    end

    On # 1
    You have the make sure that
    "authentication host-mode multi-domain" command is under each port
    This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
    On #2
    I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
    On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
    Hope this helps.

  • ISE 1.2, Supplicant configured for 802.1x but need to MAB

    I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
    If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
    Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
    Thanks in advance

    Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
    Read this doc for best pratices including the timers listed below.  
    I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
    If not goto www.ciscolive365.com (signup if you havn't already) and search for
    "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
    Change the dot1x hold, quiet, and ratelimit-period to 300. 
    held-period seconds
    Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
    quiet-period seconds
    Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
    following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
    ratelimit-period seconds
    Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

  • ISE 1.2 - MAB Guest and MAB Supplicant Provisioning

    In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
    I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
    MAB > CWA Redirect (AD credentials) > "2nd Auth"  = NSP Redirect

    Please disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
    Thanks

  • ISE 1.2 device registration with MAB only, no client provisioning

    Hello,
    Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
    I do not want to push certificates or native supplicant profiles to client devices.
    I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
    Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
    Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
    Am i really obliged to use native supplicant provisioning to register my device ?
    GN

    Hi
    Device Registration web auth is a process where you can configure user without client provisioning.
    In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
    1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
    2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
    3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
    4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
    5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
    6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

  • [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

    Hi everyone,
    After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
    Let me show you what I have,
    interface GigabitEthernet1/0/3
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     trust device cisco-phone
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    ############################################# switch model - 3850 ##################################################
    SW1#sh mac address-table interface GigabitEthernet1/0/3
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    SW1#sh dot1x interface Gi1/0/3
    Dot1x Info for GigabitEthernet1/0/3
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
    ############################################# Different switch model - 2960 ##################################################
    interface GigabitEthernet1/0/1
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     srr-queue bandwidth share 1 30 35 5
     priority-queue out
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     mls qos trust device cisco-phone
     mls qos trust cos
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
     SW1#$cation sessions interface GigabitEthernet1/0/1
                Interface:  GigabitEthernet1/0/1
              MAC Address:  xxxx.xxxx.4a38
               IP Address:  172.18.1.170
                User-Name:  xx-xx-xx-xx-4A-38
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A18129D000060E39DAE8A8A
          Acct Session ID:  0x0000725D
                   Handle:  0x0F00028C
    Runnable methods list:
           Method   State
           mab      Authc Success
           Switch Ports Model              SW Version            SW Image                                                                                             
         1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
     SW2#sh dot1x interface Gi1/0/1
    Dot1x Info for GigabitEthernet1/0/1
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Am I doing something wrong?
    BR,

    I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
    Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
    Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
    Thank you for rating helpful posts!

  • ISE 1.1/WLC 7.2 Wireless MAB and Profiling

    I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication.  My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side.  Devices are being correctly profiled on the corp network segment.  The key profiling components I need to get a match on iphone is DHCP and HTTP user agent.  Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC.  The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA.  I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.
    Can someone point me in the right direction?  I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary.  My main issue is the profiling probes and getting them working correctly on the guest LAN.

    What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple.  So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice.  This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.
    We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type.  In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.
    Hope that helps.

  • Cisco ISE 1.3 MAB authentication.. switch drop packet

    Hello All,
    I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
    and ISE 1.3 versoin..
    MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
    while some ports are working perfectly..
    Same switch configuration is working perfectly on another switch without any issue..
    Switch configuration for your suggestion..!!
    aaa new-model
    aaa authentication fail-message ^C
    **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
    ^C
    aaa authentication login CONSOLE local
    aaa authentication login ACS group tacacs+ group radius local
    aaa authentication dot1x default group radius
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+ group radius
    aaa server radius dynamic-author
     client 172.16.95.x server-key 7 02050D480809
     client 172.16.95.x server-key 7 14141B180F0B
    aaa session-id common
    clock timezone IST 5 30
    system mtu routing 1500
    ip routing
    no ip domain-lookup
    ip domain-name EVS.com
    ip device tracking
    epm logging
    dot1x system-auth-control
    interface FastEthernet0/1
     switchport access vlan x
     switchport mode access
     switchport voice vlan x
     authentication event fail action next-method
     --More--         authentication host-mode multi-auth
     authentication order mab dot1x
     authentication priority mab dot1x
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip tacacs source-interface Vlan10
    ip radius source-interface Vlan10 vrf default
    logging trap critical
    logging origin-id ip
    logging 172.16.5.95
    logging host 172.16.95.x transport udp port 20514
    logging host 172.16.95.x transport udp port 20514
    snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
    snmp-server view EVS-view internet included
    snmp-server community S1n2M3p4$ RO
    snmp-server community cisco RO
    snmp-server trap-source Vlan10
    snmp-server source-interface informs Vlan10
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
     --More--         snmp-server enable traps tty
    snmp-server enable traps cluster
    snmp-server enable traps entity
    snmp-server enable traps cpu threshold
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps flash insertion removal
    snmp-server enable traps port-security
    snmp-server enable traps envmon fan shutdown supply temperature status
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps bridge newroot topologychange
    snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
    snmp-server enable traps syslog
    snmp-server enable traps mac-notification change move threshold
    snmp-server enable traps vlan-membership
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.95.x version 2c cisco
    snmp-server host 172.16.5.x version 3 auth evsnetadmin
    tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
    tacacs-server directed-request
     --More--         tacacs-server key 7 107D580E573E411F58277F2360
    tacacs-server administration
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 25 access-request include
    radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
    radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
    radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
    radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
    radius-server timeout 2
    radius-server key 7 060506324F41
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
     exec-timeout 5 0
     privilege level 15
     logging synchronous
     login authentication CONSOLE
    line vty 0 4
     access-class telnet_access in
     exec-timeout 0 0
     logging synchronous
     --More--         login authentication ACS
     transport input ssh

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • ISE/Wireless NAC...One SSID for MAB and Dot1X?

    Hi,
    I am running ISE 1.2 and WLC 7.5.102.
    I would really like to have one SSID that can do a few different things in the following order...
    1) A device could connect, hit the MAB rule, and be granted access without any type of authentication (Other than MAB) and be placed in VLAN x.
    2) A device would be checked for the appropriate certificate. If this cert exists, the device is granted access.
    3) If a device is not allowed in MAB, it will hit the next rule, which is the dot1x rule. The user will then be authenticated against the AD server.
    4) Everything else hits default rule and is sent to web-auth portal.
    I can't really think of a way to make this work with one SSID because from what I understand, you would need dot1x disabled on the SSID in order for MAB to work.
    Any suggestions?
    Thanks.

    two ssid's. no way around it

Maybe you are looking for