Security

We have a number of Cisco switches successfully performing dot1x and mab (MAC auth bypass) against ClearPass.  These switches have various versions of Cisco IOS including 12.2 and 15.0.  They were orignally set up per the CPPM and Cisco Switch Technote that is often referenced in these type questions, so they contain the likes of a "radius-server" statement (or the newer "radius server" definition) and port config such as:

authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto

and they correctly authenticate both dot1x clients and those using MAB with a MAC address that is known to CPPM.

We recently purchased new Cisco switches that shipped with IOS 15.2.  The same config for integrating with CPPM does not seem to work on this version.  What we see in CPPM is an "accept" as normal, but the port is never released on the switch, and "show authentication sessions" on the switch reveals that the session is still in status "Unauth".  With radius and mab debug on, we even see:

Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] MAB received an Access-Accept for 0x4D00007C (d4be.d943.87bb)
Mar 2 10:34:00: mab-sm: [d4be.d943.87bb, Gi1/0/1] Received event 'MAB_RESULT' on handle 0x4D00007C
Mar 2 10:34:00: mab : during state mab_authorizing, got event 5(mabResult)
Mar 2 10:34:00: @@@ mab : mab_authorizing -> mab_terminate
Mar 2 10:34:00: mab-ev: [d4be.d943.87bb, Gi1/0/1] Deleted credentials profile for 0x4D00007C (dot1x_mac_auth_d4be.d943.87bb)

which would seem to be OK.  Further, we went so far as to downgrade one of these switches to 15.0, and that version of IOS still works OK.

Has anyone seen this behavior on a Cisco switch with IOS 15.2, or do you have any troubleshooting tips?  Thanks!

Don't have a test right now, but verify this command to enable mab:

dot1x mac-auth-bypass

http://www.3c3cc.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-e/sec-usr-aaa-15-e-book/sec-usr-mac-auth-bypass.pdf

For whatever reason, the "dot1x mac-auth-bypass" command is not available on these Cisco 2960s.  We are using the direct "mab" command to enable MAB, and that lines up with the ClearPass / Cisco Technote doc here, and has worked for us on switches up to IOS 15.0:

http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TechNote-v1-2-Cisco-Switch-Setup-with-ClearPass-Policy-Manager/ta-p/70722

Digging further, we have two different ClearPass services for handling wired authentication - one for Aruba sources, a second one for Cisco.  The only difference is that the Cisco one looks for a "Cisco-AVPair" data item to know that it is coming from a Cisco switch, and uses an enforcement profile similar to what is defined in the Technote doc that sends back IETF session timeout, tunnel type, etc.  The Aruba one checks for conditions and simply passes back role names.  

We have discovered that if we disable the Cisco service and allow those requests to fall through to the Aruba service, the Cisco switch works OK.  While it pays no attention to the role name, it understands the "Access-Accept" and unblocks the port.  We could simply go with this, but we then lose the Change of Authority pieces that are built out such as assigning the VLAN from the profile in ClearPass.

I continue to dig into the Cisco debug to see if I can figure out what is happening.  From the ClearPass perspective, it is happy and the Cisco switch even shows that it receives Access-Accept, but does not then authorize the port.

Did you ever get this resolve? We are having the same issue on the new Cisco Cat9300 switches with MAB enabled.

 hello jason, 

i'm about to setup same senarios, could you please share the used resources for that, 

thank you 

Eventually just left them being handled by the CPPM service that does not look for "Cisco-AVPair" to differentiate that it is a Cisco switch. You can still assign a VLAN, etc so we left it at that.