802.1x bypassed?

Similar Messages

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1x: MAC Authentication Bypass

  Hey sorry for keeping bugging you guys...
  So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
  However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
  So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
  Thank you!!
  Difan

  Difan:
  I went through your post  and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
  Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
  I have also attached a document regarding MAB for your better understanding.
  This forum is only for you guys...keep bugging us
  HTH
  JK
  Pls rate helpful posts-

• 802.1X Inaccessible Authentication Bypass

  On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available.  The interface configuration mode command is supposed to be "dot1x critical". 
  Has it changed to something else in this version of IOS?
  The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.html

  Hello Prashant
  Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
  I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
  Hope this helps.. all the best.. rate replies if found useful..
  Raj

• MAC bypass of IP phone at 802.1x MDA mode

  Hello,
  is it possible (and how to do it) MAC bypass of IP phone (without using CDP) using Multi-Domain Authentication? We want to authenticate PC connected to IP phone only.
  Thanks

  Yes, it's possible. You can authenticate the phone via 802.1X or MAC-Authentication (if your phone doesn't have 802.1X).
  This should help get you going:
  <http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>
  Hope this helps,

• Windows 2012 r2 802.1X MAC Address bypass configuration

  I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
  I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
  I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
  I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
  I have set the switchport to allow MAB
  I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
  I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
  Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?

  You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Does 6509 switch support CDP bypass feature when interface configured with IEEE 802.1X?

   hi, guys
          we are deploying CISCO video endpoints (SX 20) for out customers, as the access switch is 6509 which version is 12.2(33)SXJ5
  following is the configuration on the interface, but the endpoints can not pass through the authentication, and also it can not get  IP address
  from DHCP server , so just want to know whether if the 6509 switch support CDP BYPASS feature?
  interface GigabitEthernet x/xx
   switchport
   switchport access vlan 400
   switchport mode access
   switchport voice vlan 409
   authentication host-mode multi-domain
   authentication port-control auto
   authentication timer reauthenticate 65535
   authentication timer inactivity 120
   authentication violation restrict
   dot1x pae authenticator
   dot1x timeout tx-period 5
   dot1x timeout supp-timeout 10
   spanning-tree portfast edge

  What image are you running now ? I am facing the same problem in 8.4(1) workround : upgrade to 8.4(2)GLX.

• 802.1x takes a long time to authenticate

  I'm currently testing 802.1x in our evironment and one of the things I want to do is mac-address authentication (basically a machine trying to connect to a port has to come up against our ACS server with these addresses). I can get it to work but for some reason it takes close to 5 minutes for it to authenticate. This seems to be the case whether its a reboot of the same mac address or a new mac-address. I'm thinking this might be something on the switch to ACS side because the ACS server doesn't receive an authentication request until a few minutes after the machine is plugged in. Anyone ever seen something like this?
  Here is a sanitized copy of the switch config:
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log datetime
  service password-encryption
  service sequence-numbers
  hostname switchA
  enable secret 5 blah
  enable password 7 blah
  username blah password blah
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ none
  aaa authorization network default group tacacs+ local
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa session-id common
  clock timezone UTC -5
  clock summer-time UTC recurring
  ip subnet-zero
  ip dhcp snooping vlan 1
  ip dhcp snooping
  cluster commander-address mem
  dot1x system-auth-control
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 1
  switchport port-security violation protect
  switchport port-security aging type inactiv
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x reauthentication
  dot1x guest-vlan 23
  spanning-tree portfast
  ip dhcp snooping limit rate 100
  interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  ip dhcp snooping trust
  interface GigabitEthernet0/2
  switchport mode dynamic desirable
  interface GigabitEthernet0/3
  interface GigabitEthernet0/4
  interface Vlan1
  ip address 10.10.10.1 255.255.252.0
  no ip route-cache
  ip classless
  ip http server
  ip http access-class 1
  ip http secure-server
  snmp-server community
  snmp-server community
  tacacs-server host 10.10.10.6
  tacacs-server directed-request
  tacacs-server key 7 blah
  radius-server host 10.10.10.6 auth-port 1645 acct-port 1646 key 7 blah
  radius-server source-ports 1645-1646
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  alias exec macsh sh mac-address | include
  alias exec arpsh sh arp | include
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 blah
  line vty 5 15
  password 7 blah
  ntp clock-period 36029099
  ntp server 10.10.10.9
  end

  A couple of things here.
  * Not sure about a debug and an DHCP with a debug from your reeference. Suffice it to say though, that if you're running 1X on a port, don't even expect DHCP to work (or anything else for that matter) until 802.1X has authorized the port (and out of the way of the data-plane). And DHCP is completely controleld from the client anyway, that should have predictable timing, expected operation, etc.
  The tx-period is a timer written into the 1X spec. An authenticator (switch) has the responsibility of re-transmitting frames it expects an answer to. In this case, it's the very first frame (EAPOL-Id-Request) when the switch is looking for a suppliant. The tx-period (30-sec default) is the period for how often the switch will re-transmit the frames. 30-sec is the recommended timer from the 1X spec (since packet loss should be a null concern). But in your case, bear it in mind, if your wanting a non-1x port to "enable". The Guest-VLAN and MAC-Auth-Bypass can only execute after 802.1X has timed out. So, you may want to consider tweaking the timer down in the interest of giving this non-1X device some "more immediate" access. There's security built-in to trying 1X first, however, so there's no silver bullet recommendation here.
  The other value I mentioned before was max-reauth-req. This is how many times 1X will REtransmit the initil EAPOL-Id-Req frame before giving up on the fact that a supplicant is not there.
  So effectively, the formula for timing out on 1X for these supplemental techniques is.
  [tx-period * (1+max-reuath-req).]
  Hope this helps,

• How can I configure a 802.1x in a switch 2960 with IOS 15.0.2?

  Hi,
  I'm trying to config a switch WS-C2960+24PC-L with IOS 15.0(2)SE5 and C2960-LANBASEK9-M to use 802.1x in my network but when I type the following commands the IOS doesn't recognize the interface commands and I can't complete the settings:
  Router# configure terminal
  Router(config)# dot1x system-auth-control
  Router(config)# aaa new-model
  Router(config)# aaa authentication dot1x default group radius
  Router(config)# interface fastethernet2/1
  Router(config-if)# switchport mode access
  Switch(config-if)# authentication port-control auto (or dot1x port-control auto)
  Switch(config-if)# authentication host-mode multihost
  Router(config-if)# dot1x pae authenticator
  Router(config-if)# end
  Source: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/config-ieee-802x-pba.html#GUID-C11588CB-31B6-4CD9-9E74-CF2199FB1807
  I've used the same commands in other switch with IOS 12.x and I don't have any problem to complete the settings so.... somebody know if:
  * Should I use others commands to activate this feature in this IOS?
  * Do I need to use other IOS?
  Thanks in advance,

  The authentication manager commands in Cisco IOS Release 12.2(50)SE or later
  The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier
  Description
  authentication control-direction { both | in}
  dot1x control-direction { both | in}
  Enable 802.1x authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.
  authentication event
  dot1x auth-fail vlan
  dot1x critical (interface configuration)
  

dot1x guest-vlan6
  Enable the restricted VLAN on a port.
  Enable the inaccessible-authentication-bypass feature.
  Specify an active VLAN as an 802.1x guest VLAN.
  authentication fallback fallback-profile
  dot1x fallback fallback-profile
  Configure a port to use web authentication as a fallback method for clients that do not support 802.1x authentication.
  authentication host-mode [ multi-auth | multi-domain | multi-host | single-host]
  dot1x host-mode { single-host | multi-host | multi-domain}
  Allow a single host (client) or multiple hosts on an 802.1x-authorized port.
  authentication order
  mab
  Provides the flexibility to define the order of authentication methods to be used.
  authentication periodic
  dot1x reauthentication
  Enable periodic re-authentication of the client.
  authentication port-control { auto | force-authorized | force-un authorized}
  dot1x port-control { auto | force-authorized | force-unauthorized}
  Enable manual control of the authorization state of the port.
  authentication timer
  dot1x timeout
  Set the 802.1x timers.
  authentication violation { protect | restrict | shutdown}
  dot1x violation-mode { shutdown | restrict | protect}
  Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
  show authentication
  show dot1x
  Display 802.1x statistics, administrative status, and operational status for the switch or for the specified port. authentication manager: compatibility with earlier 802.1x CLI commands
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#concept_6275D339A9074AC0BB06F872D7A54FBB

• Is it possible to add a firewall Filter or Rule Set to the Extreme Router (802.11n)

  Is it possible to add a firewall Filter or Rule Set to the setting for the Extreme Router (802.11n) like the following:
  "ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53"  and
  "BLOCK TCP/UDP IN/OUT all IP addresses on Port 53"
  The goal of this is to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.
  Or, alternatively is there a way to configure same applied to the Network preferences on IMAC OS X?
  Thanks and much appreciation to anyone who has any clue about this.

  Sorry, I think you've got it backwards.
  The concern is NOT that the child can make changes to our hardware/AEBS, or even our network software on my IMAC - nothing's been changed.
  BUT, he changed the dns settings on his OWN device (ie chromebook) to google public server, accessed the AE using our home wifi network BUT bypassed our dns settings. Capeesh?
  See: http://www.pocketables.com/2013/03/how-to-use-change-the-dns-settings-on-your-ch romebook-and-use-googles.html

• 802.1x Without Certificates

  I have the following setup:
  5508 WLC
  ISE 1.2
  The wireless network is copletely seperate from the corporate network & is purely used for Internet Access.
  The users connect in 2 different ways:
  Guest Access by means of a Guest Portal (Guest SSID)
  802.1x Pointing to Internal Users on the ISE box. (Corporate SSID)
  All Mobile devices connect fine to the corporate SSID, the problem is with Laptop users.
  At this stage, In order for the users to connect to the Corporate SSID, i need to manually set up the Wireless connection and remove the
  "Verify The Server's Identity by validating the certificate" tick box under PEAP settings.
  Is there any way to bypass/rectify this, (This is only used for Internet, hence the Customer will not install a CA server)
  I need the users to connect to the Corporate SSID without manually setting up the Wireless Connction.

  Jacovr,
  The point of using 802.1X is to provide a means of security for the corporate users when connect to WiFi. First we need to cover the purpose of cert validation. Radius server sends the device cert to the client. The client then uses this cert to hash their logon and AD and pass it to the radius server wherethe radius server uses the private key.  To protect against a man in the middle attack the client can validate the certificate. If you choose not to, and many people do btw, you can unselect this. But know anyone running your SSID with FREERADIUS and the Hack can put your ID/Passwords at risk.
  This is a client configuration. Nothing you can do on the infrustructure side of this to bypass it. Here are a few ideas.
  1)I assume these corporate users have machines that are part of AD. If so you can push the WLAN profile with the specific WLAN settings automagically.
  2) If you dont have AD you can use a tool like Anyconnect and provide a profile via email a user can launch and will configure the WLAN profile.
  3) With ISE you can build a policy and push down a WLAN profilem but here again they need to connect the first time. I have seen users do a onboarding network for WLAN Profiles.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
  "Im like bacon, I make your wireless better"

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco IP 7841 802.1x Configuration

  Hello Team,
  I am working with a customer that requires 802.1x configured on their environment. Based on my research so far, I believe this is only way to make this work. Have any of you done this differently? Any feedback is greatly appreciated.
  CUCM
  Run the CTL Client to install the e-token so the CUCM Publisher can run the CAPF service
  Export the Cisco_Root_CA cert and upload it to a Radius server (preferably Cisco ACS if possible) so the phones can authenticate with
  Assign the cert to each phone that requires 802.1x authentication
  LAN Switches
  Stage the LAN switches without 802.1x so phones can retrieve the cert and complete the authentication before turning on 802.1x
  Questions
  Can phones be authenticated with its own MIC and the PCs with their own? Do phones and PCs have to run the same cert?
  Is the MAB the only method to bypass the 802.1x phone authentication so only the PC can be authenticate via 802.1x without requiring the phone to do the 802.1x authentication?
  Thanks in advance for your feedback,
  Gerson

  Jaime,
  Thanks for pointing me to the correct area. By the way, do you have experience enabling 802.1x in CUCM? If so, do you think I am going in the right direction? Could you also provide some feedback on my questions?
  Thanks,
  Gerson

• NAC-L2-802.1x with 7940 IP Phones and builtin swithport?

  Hi
  I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;
  IP Telephone and Device Mobility
  The computer connected to the PC port on an IP phone will get posture validated successfully.
  It does not help much...
  Thanks very much.
  Jason

  You have 2 choices:
  1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:
  interface GigabitEthernet1/0/2
  description endpoints
  switchport access vlan 2
  switchport mode access
  switchport voice vlan 200
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  queue-set 2
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 10
  The config above will allow a Cisco phone in "for free" just b/c it can do CDP.
  2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:
  dot1x host-mode multi-domain
  And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:
  dot1x mac-auth-bypass
  Hope this helps,

• Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

  Hi,
  I found the below Hot-Fix to be set;
  http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
  Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
  Thanks,
  Regards,
  Mubasher Sultan

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10