03-02-2017 07:43 AM
We have a number of Cisco switches successfully performing dot1x and mab (MAC auth bypass) against ClearPass. These switches have various versions of Cisco IOS including 12.2 and 15.0. They were orignally set up per the CPPM and Cisco Switch Technote that is often referenced in these type questions, so they contain the likes of a "radius-server" statement (or the newer "radius server" definition) and port config such as:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
and they correctly authenticate both dot1x clients and those using MAB with a MAC address that is known to CPPM.
We recently purchased new Cisco switches that shipped with IOS 15.2. The same config for integrating with CPPM does not seem to work on this version. What we see in CPPM is an "accept" as normal, but the port is never released on the switch, and "show authentication sessions" on the switch reveals that the session is still in status "Unauth". With radius and mab debug on, we even see:
Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] MAB received an Access-Accept for 0x4D00007C (d4be.d943.87bb)
Mar 2 10:34:00: mab-sm: [d4be.d943.87bb, Gi1/0/1] Received event 'MAB_RESULT' on handle 0x4D00007C
Mar 2 10:34:00: mab : during state mab_authorizing, got event 5(mabResult)
Mar 2 10:34:00: @@@ mab : mab_authorizing -> mab_terminate
Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] Deleted credentials profile for 0x4D00007C (dot1x_mac_auth_d4be.d943.87bb)
which would seem to be OK. Further, we went so far as to downgrade one of these switches to 15.0, and that version of IOS still works OK.
Has anyone seen this behavior on a Cisco switch with IOS 15.2, or do you have any troubleshooting tips? Thanks!
03-05-2017 10:45 PM
Don't have a test right now, but verify this command to enable mab:
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
03-09-2017 07:21 AM
For whatever reason, the "dot1x mac-auth-bypass" command is not available on these Cisco 2960s. We are using the direct "mab" command to enable MAB, and that lines up with the ClearPass / Cisco Technote doc here, and has worked for us on switches up to IOS 15.0:
Digging further, we have two different ClearPass services for handling wired authentication - one for Aruba sources, a second one for Cisco. The only difference is that the Cisco one looks for a "Cisco-AVPair" data item to know that it is coming from a Cisco switch, and uses an enforcement profile similar to what is defined in the Technote doc that sends back IETF session timeout, tunnel type, etc. The Aruba one checks for conditions and simply passes back role names.
We have discovered that if we disable the Cisco service and allow those requests to fall through to the Aruba service, the Cisco switch works OK. While it pays no attention to the role name, it understands the "Access-Accept" and unblocks the port. We could simply go with this, but we then lose the Change of Authority pieces that are built out such as assigning the VLAN from the profile in ClearPass.
I continue to dig into the Cisco debug to see if I can figure out what is happening. From the ClearPass perspective, it is happy and the Cisco switch even shows that it receives Access-Accept, but does not then authorize the port.