Hello,

During deployment of 802.1.x which is based on Brocade switches I encountered a problem.
When port is enabled for 802.1x i mac-authentication and we connect PC with secure dock to that port then connection to securedock i blocked  and PC remains encrypted unless we provide the password manunally. When the port operates without any authentication securedock communication works fine and decrypts automatically. Pre_auth_acl is not helping in that case. On the other hand on cisco switch all works fine with the same acl.

Initial connection steps when checking by: sh dot1x session command:
1)
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age          PAE 
            Addr              Addr            Name                State                                State
------------------------------------------------------------------------------------------------------
1/1/12      d4cd.d977.f989    N/A      N/A          4092  init      none     S45     CONNECT

2) Session moved to restricted vlan 300
sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age      PAE 
            Addr              Addr            Name                State                           State
------------------------------------------------------------------------------------------------------
1/1/12  d4cd.d977.f989     N/A         N/A           300   init      none     Ena     HELD

3) and then moved to port vlan with different mac address assigned to the session
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port        MAC               IP              User          Vlan  Auth      ACL     Age   PAE 
            Addr              Addr            Name                State                         State
------------------------------------------------------------------------------------------------------
1/1/12   0180.c200.0003    N/A        N/A           301   init      none       N/A   CONNECT

For some reason MAB policy is telling that authentication is failed because the endpoint is not found in the identity store but it is not true. Endpoint is added correctly. looks like MAB is not being triggered correctly.  Any Idea what can be wrong.

Hi,

Yes i'm trying mab auth becouse the PC i encrypted end OS is not even started yet. Yesterday i done some more tests and find out that when I change the radius attribute of Radius:Service-Type = Call Check to Radius:Service-Type = Framed  and ad the internal endpoints to auth policy it then works fine and can find the user in local database by using mac address. Very starnge.

Summarizing:
In the policy auth section when we use to have spearate policy for mab and dot1x currently when I use only one policy when I configured Radius:Service-Type = Framed and internal endpoints + All AD Jointpoints it all works fine but Im not sure is this is allowed configuration.

Also in ISE 2.0 i can see that radius attributes for MAB ( CISCO and brocade are different) :
CISCO:
Radius:NAS-Port-Type = Ethernet   
Radius:Service-Type = Call Check

Brocade:
Radius:NAS-Port-Type = Ethernet   
Radius:Service-Type = Framed   
Radius:User-Name = Radius:Calling-Station-ID

Looks like this my be the reason of my problem.