802.1X Port Based Authentication Security Violation

Similar Messages

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• Help with 4506 802.1x Port Based Authentication (Wired)

  Hi all,
  I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
  I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
  I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
  I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
  The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
  dot1x port-control auto
  i've also configured the interface to be a plain L2 access port by executing
  switchport mode access
  any help will be appreciated!

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• IEEE 802.1x Port based Authentication with Restricted VLAN

  Hi all,
  I have the following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  dot1x system-auth-control
  radius-server host 10.10.10.10 key cisco
  interface FastEthernet0/1
  switchport mode access
  authentication event fail retry 1 action authorize vlan 2
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  But it takes quite a while for the user who is not authorized to be switch to vlan 2.
  I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
  Regards,
  Laurent

  Laurent,
  Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
  thanks,
  Tarik Admani

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• 802.1x mac based authentication

  We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

  Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
  The 2 options would be standard port security or 802.1x port security if you switches support this.
  In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
  You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
  standard port base security by MAC:
  http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
  802.1x port based security:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

• Port-Based Authentication on 877

  Hi 
  I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
  authentication control-direction in
  authentication event fail retry 1 action authorize vlan xx
  authentication event no-response action authorize vlan xx
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
  Anyone can please let explain me why it is happing 
  Regards,

  Any input?

• 802.1x Machine Based Authentication - Password expired

  Hi,
  I would like to ask 1 question about machine based authentication on 802.1x.
  1.We are deploying 802.1x on wired user.
  2.Some user are using machine based authentication in order to authenticate their port.
  3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
  4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
  5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
  5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
  Anybody can shed a light to me. Thanks.

  This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
  This also might help:
  http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

• Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

  Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
  certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
  We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
  they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
  ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
  1. Fail over to a disaster recovery authentication server if Corporate connection goes down
  and:
  2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
  for the authentication and so on.
  What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
  nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

  Re-authentication could be triggered by the NPS, the switch / AP or the client:
  NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
  a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
  Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
  Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
  Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
  when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
  It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
  I would recommend to carefully test it with a pilot group of users.
  Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely?

• 802.1x port authentication not working

  I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
  Switch info:
  sw-ConfB>sho ver
  Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
  Port config:
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  Radius Server Info:
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  Kinda lost why not Radius packet even comes from the switch. Any tips?

  sw-ConfB#sho ru
  Building configuration...
  Current configuration : 6301 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname sw-ConfB
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  system mtu routing 1500
  crypto pki trustpoint TP-self-signed-706182400
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-706182400
   revocation-check none
   rsakeypair TP-self-signed-706182400
  crypto pki certificate chain TP-self-signed-706182400
   certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
    34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
    D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
    E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
    BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
    02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
    11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
    A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
    D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
    8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
    CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
    2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
    1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
    quit
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/2
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/3
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/4
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/5
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/6
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/7
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/8
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/9
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/10
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/11
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface FastEthernet0/12
   switchport access vlan 900
   switchport mode access
   authentication event fail action authorize vlan 900
   authentication event no-response action authorize vlan 900
   authentication port-control auto
   dot1x pae authenticator
   dot1x timeout tx-period 5
  interface GigabitEthernet0/1
   switchport trunk native vlan 200
   switchport trunk allowed vlan 100,200,900
   switchport mode trunk
  interface GigabitEthernet0/2
   switchport access vlan 100
   switchport mode access
  interface Vlan1
   no ip address
  interface Vlan100
   ip address 10.0.1.3 255.255.255.0
  interface Vlan200
   ip address 10.0.2.4 255.255.255.0
  interface Vlan900
   ip address 10.0.9.4 255.255.255.0
  ip default-gateway 10.0.1.1
  ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
  radius-server retransmit 5
  radius-server key secret
  radius-server vsa send authentication

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

• 802.1x per host authentication under one port with multi-host access by hub

  Dear,
  While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.
  In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?
  We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?
  Thanks!

  Multiauthentication Mode
  Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
  Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
  Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
  •The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  •Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
  •A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
  •The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
  •After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
  •The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
  NOTE :
  •Only one voice VLAN is supported on a multiauth port.
  •You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
  for more information :
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

• 802.1x Port Authentication via RADIUS

  I am investigating implementing 802.1x port authentication on our network.
  I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
  I have configured the switch with the following commands
  aaa new-model
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius-server host x.x.x.x key test
  and the port to be authorised has been configured with
  dot1x port-control auto
  As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
  When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasn’t available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=3
  Realm = def
  User = Administrator
  Code = Access request
  ID = 26
  Length = 169
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  NAS-IP-Address = x.x.x.x
  NAS-Port = 50024
  NAS-Port-Type = Ethernet
  User-Name = Administrator
  Called-Station-Id = 00-11-00-11-00-11
  Calling-Station-Id = 11-00-11-00-11-00
  Service-Type = Framed
  Framed-MTU = 1500
  State = 0x3170020000FCB47C00
  EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
  Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=4
  Realm = def
  User = Administrator
  Code = Access reject
  ID = 26
  Length = 0
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  EAP-Message = 0x04010004
  Message-Authenticator = 0x00000000000000000000000000000000
  On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
  *Mar 2 01:58:38: dot1x-ev:Username is Administrator
  *Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
  *Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
  *Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
  *Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
  *Mar 2 01:58:38: dot1x-ev:Sent to Bend
  *Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  *Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
  *Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
  Again there doesn’t appear to be a password, shouldn't I see one?
  Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
  I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

  These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
  I would recommend either:
  a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
  b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
  Eval copies are available on their websites.
  Hope this helps,

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• 802.1x Mac-Adress Based Authentication

  I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

  We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
  We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
  Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.