|
◆ Cisco ISE - MAB(mac authentication bypass) - Success !
・ Cisco ISE - Operations - Authentication - Details
・ Catalyst 2960-X - IOS 15.x - show authentication sessions interface
gigabitEthernet 1/0/1
◆ Cisco ISE - MAB(mac authentication bypass) - Failed
・ ISEにMACアドレスを登録していないPCを接続した場合のISEの出力ログ
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15006 Matched Default Rule
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Source -
24209 Looking up Endpoint in Internal Endpoints IDStore - 00:00:00:22:22:22
24217 The host is not found in the internal endpoints identity store
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication
request
11003 Returned RADIUS Access-Reject
・ Cisco Catalyst 2960-X - IOS 15.xの出力ログ
%AUTHMGR-5-START: Starting 'mab' for client (0000.0022.2222) on Interface
Gi1/0/1 AuditSessionID C0A111
%MAB-5-FAIL: Authentication failed for client (0000.0022.2222) on Interface Gi1/0/1 AuditSessionID C0A111
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for
client (0000.0022.2222) on
Interface Gi1/0/1 AuditSessionID C0A111
%AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0000.0022.2222) on Interface Gi1/0/1 AuditSessionID C0A111
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client
(0000.0022.2222) on Interface Gi1/0/1
AuditSessionID C0A111
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0000.0022.2222)
on Inter Gi1/0/1 AuditSessionID C0A111
C2960X-01# show authentication sessions interface gigabitEthernet 1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: 0000.0022.2222
IP Address: 192.168.0.2
User-Name: 000000222222
Status: Authz Failed
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A111
Acct Session ID: 0x00000023
Handle: 0x1B00001D
Runnable methods list:
Method State
dot1x Failed over
mab Failed over
CatalystスイッチでAAAの設定をしていない場合や、AAAの設定ミスがある場合はCisco ISE側では
以下のログが出力されて認証が失敗となります。または、ISE側で正しくRadiusクライアントが登録
されていない場合も以下のログが出力されます。
11004 Received RADIUS Accounting-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5413 RADIUS Accounting-Request dropped
◆ 802.1X - L2 interface Configuration - 15.x
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
|