Cisco ISE - MAB



 ◆ Cisco ISE - MAB(mac authentication bypass) - Success !

 ・ Cisco ISE - Operations - Authentication - Details

 


 ・ Catalyst 2960-X - IOS 15.x - show authentication sessions interface gigabitEthernet 1/0/1

 


 ◆ Cisco ISE - MAB(mac authentication bypass) - Failed

 ・ ISEにMACアドレスを登録していないPCを接続した場合のISEの出力ログ

 11001 Received RADIUS Access-Request
 11017 RADIUS created a new session
 11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
 15049 Evaluating Policy Group
 15008 Evaluating Service Selection Policy
 15048 Queried PIP
 15048 Queried PIP
 15004 Matched rule
 15006 Matched Default Rule
 15041 Evaluating Identity Policy
 15006 Matched Default Rule
 15013 Selected Identity Source -
 24209 Looking up Endpoint in Internal Endpoints IDStore - 00:00:00:22:22:22
 24217 The host is not found in the internal endpoints identity store
 22056 Subject not found in the applicable identity store(s)
 22058 The advanced option that is configured for an unknown user is used
 22061 The 'Reject' advanced option is configured in case of a failed authentication request
 11003 Returned RADIUS Access-Reject


 ・ Cisco Catalyst 2960-X - IOS 15.xの出力ログ

 %AUTHMGR-5-START: Starting 'mab' for client (0000.0022.2222) on Interface Gi1/0/1 AuditSessionID C0A111
 %MAB-5-FAIL: Authentication failed for client (0000.0022.2222) on Interface Gi1/0/1 AuditSessionID C0A111
 %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0000.0022.2222) on
 Interface Gi1/0/1 AuditSessionID C0A111
 %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0000.0022.2222) on Interface Gi1/0/1 AuditSessionID C0A111
 %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0000.0022.2222) on Interface Gi1/0/1
  AuditSessionID C0A111
 %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0000.0022.2222) on Inter Gi1/0/1 AuditSessionID C0A111


 C2960X-01# show authentication sessions interface gigabitEthernet 1/0/1
 Interface: GigabitEthernet1/0/1
 MAC Address: 0000.0022.2222
 IP Address: 192.168.0.2
 User-Name: 000000222222
 Status:
Authz Failed
 Domain: DATA
 Oper host mode: single-host
 Oper control dir: both
 Session timeout: N/A
 Idle timeout: N/A
 Common Session ID: C0A111
 Acct Session ID: 0x00000023
 Handle: 0x1B00001D

 Runnable methods list:
 Method State
 dot1x
Failed over
 mab
Failed over



 CatalystスイッチでAAAの設定をしていない場合や、AAAの設定ミスがある場合はCisco ISE側では
 以下のログが出力されて認証が失敗となります。または、ISE側で正しくRadiusクライアントが登録
 されていない場合も以下のログが出力されます。

 11004 Received RADIUS Accounting-Request
 11017 RADIUS created a new session
 11007 Could not locate Network Device or AAA Client
 5413 RADIUS Accounting-Request dropped



 ◆ 802.1X - L2 interface Configuration - 15.x

 interface GigabitEthernet1/0/1
 switchport access vlan 5
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast



Cisco ISE

ネットワークエンジニアとして

Copyright (C) 2002-2019 ネットワークエンジニアとして All Rights Reserved.