Wired MAC specific 802.1x issue

888network
Just browsing

Wired MAC specific 802.1x issue

Hello community,

 

I have a very specific problem. We migrated 80% of our access switches to Meraki 225-48LP. MAC computers are not getting 802.1x authenticated when connected with wire to MS swithes. They work fine on old cisco SW and also on wifi. I also have Windows clients that work fine wired connected. 

 

These are the logs from ISE when failing:

15016Selected Authorization Profile - STG170_HELPDESK,HRZ_U-HD
 22081Max sessions policy passed
 22080New accounting session created in Session cache
 12705LEAP authentication passed; Continuing protocol
 11503Prepared EAP-Success
 11006Returned RADIUS Access-Challenge
 5440Endpoint abandoned EAP session and started new (
 

 

Step latency=59986 ms)

and this is the log when working (connected to old cisco sw)

15016Selected Authorization Profile - STG170_HELPDESK,HRZ_U-HD
 22081Max sessions policy passed
 22080New accounting session created in Session cache
 12705LEAP authentication passed; Continuing protocol
 11503Prepared EAP-Success
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 12704LEAP completed. Sent EAP-Response containing LEAP challenge-response and cisco-av-pair containing LEAP session-key
 11002Returned RADIUS Access-Accept

 

Another strange thing is in Meraki logs I see EAP success received but the port still appears in "Not forwarding due to access policy" .

Mar 3 12:13:38roish-mac802.1X EAP success
port: 25, identity: roisht-mac$@domain.corp
Mar 3 12:13:38roish-mac802.1X deauthentication
port: 25
Mar 3 12:12:38roish-mac802.1X EAP success
port: 25, identity: roisht-mac$@domain.corp
Mar 3 12:12:38roish-mac802.1X deauthentication
port: 25

 

and a packet capture on meraki switchport where the MAC is connected:

888network_0-1646317192317.png

 

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Does the Mac plug directly into the 802.1x port, or is it plugging into something else first?

888network
Just browsing

Directly connected to to switch port, no other NAD (phone\hub\switch) between the switch and the MAC device

PhilipDAth
Kind of a big deal
Kind of a big deal

Anything in the client's Mac event log (I don't know anything about Mac, but it must have some kind of log)?

 

I'm a bit suspicious about this:
"Endpoint abandoned EAP session and started new"

 

It suggests that Windows is not happy with something.  Perhaps an expired RADIUS server certificate.  Perhaps the RADIUS server certificate is not trusted by the client.  I don't know.  But it smells like the client is rejecting the authentication itself.

 

I guess another possibility is some RADIUS attribute is being sent (change of VLAN, maybe something else) that the switch is (or is not) executing, that used to be ok on the old switches, and that is upsetting the MACs.

If you don't make any progress, check out what attributes are being sent, and see if perhaps you can strip it back to just enough to see if that makes any difference.

BlakeRichardson
Kind of a big deal
Kind of a big deal

@888network  What version of MacOS are you using and I will see if I can replicate the fault. 

Jayfanatics
New here

Any resolutions to this,  I am having a similar problem and would appreciate if you can share the fix for this. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels