We have a number of Cisco switches successfully performing dot1x and mab (MAC auth bypass) against ClearPass. These switches have various versions of Cisco IOS including 12.2 and 15.0. They were orignally set up per the CPPM and Cisco Switch Technote that is often referenced in these type questions, so they contain the likes of a "radius-server" statement (or the newer "radius server" definition) and port config such as:
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
and they correctly authenticate both dot1x clients and those using MAB with a MAC address that is known to CPPM.
We recently purchased new Cisco switches that shipped with IOS 15.2. The same config for integrating with CPPM does not seem to work on this version. What we see in CPPM is an "accept" as normal, but the port is never released on the switch, and "show authentication sessions" on the switch reveals that the session is still in status "Unauth". With radius and mab debug on, we even see:
Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] MAB received an Access-Accept for 0x4D00007C (d4be.d943.87bb)
Mar 2 10:34:00: mab-sm: [d4be.d943.87bb, Gi1/0/1] Received event 'MAB_RESULT' on handle 0x4D00007C
Mar 2 10:34:00: mab : during state mab_authorizing, got event 5(mabResult)
Mar 2 10:34:00: @@@ mab : mab_authorizing -> mab_terminate
Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] Deleted credentials profile for 0x4D00007C (dot1x_mac_auth_d4be.d943.87bb)
which would seem to be OK. Further, we went so far as to downgrade one of these switches to 15.0, and that version of IOS still works OK.
Has anyone seen this behavior on a Cisco switch with IOS 15.2, or do you have any troubleshooting tips? Thanks!