802.1x reauthenticate
Currently in the process of migrating from psk to 802.1x radius environment using a mix of 4400 and 5508 controllers with WCS using Microsoft ias. The problem I have is there is a lot of shared iPads and tablets in the environment. Is there a way to force these user to relogin to radius after a certain time period so they are not sharing unames and passwords?
Sure you can enable session timeouts but that introduces issues on some apple devices and that just causes the supplicant on the iPad to reuse the credentials entered. As long as the iPad has credentials entered in the supplicant then it will try to use those.
To combat sharing credentials you should be looking at maybe ISE or using certificates instead of usernames.
Sent from Cisco Technical Support iPad App
Similar Messages
-
Windows XP SP3 can't authenticate in 802.1x
Hi all,
I'm trying to get working a fresh install with 802.1x in it. I have a serious issue with Windows XP SP3 not authenticating at all... I can see (with a Wireshark) EAPoL Start messages going out from the host, but nothing happens after. The switch is pretending that it has a timeout on dot1x exchanges. We don't have any issue with Windows 7 at all !!!!
I'm giving you details about the setup :
Switches : Cisco switching architecture (IOS IP Services K9 12.2(55)SE)
Authentication Server : Cisco Secure ACS 4.2
Directories : Microsoft Active Directory and OpenLDAP for the directories
PKI : External (opensource)
Clients : Windows XP SP3 and a very few Windows 7
EAP Method for the moment : PEAP MSCHAPv2
Concerning switches, typical config is the following (only necessary things appear) :
swi-test-802.1x#sh run
Building configuration...
Current configuration : 6481 bytes
aaa new-model
aaa group server radius ACS
server X.X.X.X auth-port 1645 acct-port 1646
deadtime 60
aaa authentication login ACS_RADIUS group ACS local
aaa authentication dot1x default group ACS local
aaa authorization exec ACS_RADIUS group ACS local
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS
aaa accounting exec ACS_RADIUS start-stop group ACS
aaa accounting network ACS_RADIUS start-stop group ACS
aaa session-id common
ip device tracking
dot1x system-auth-control
interface FastEthernet0/X
description Typical FlexAuth port 802.1x
switchport mode access
switchport voice vlan 160
ip access-group Acl_Default_Acl in
authentication event fail action next-method
authentication event server dead action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended Acl_Default_Acl
permit ip any any
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key XXX
radius-server vsa send accounting
radius-server vsa send authentication
end
If I'm using Windows 7, no problem...
I've tried to modify different registry keys concerning authMode, SupplicantMode (twice applicable but only right until XP SP2), BlockTime for reauth, following everytime Microsoft recommandations and the different published kb...
I've tried with GPO for a global change or modifying XML template of the interface, but nothing changes...
I'm giving you the debugs (radius authentication and dot1x events) :
swi-test-802.1x#
swi-test-802.1x#
*Mar 1 01:19:25.727: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:25.735: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:26.230: dot1x-ev(Fa0/1): Interface state changed to DOWN
*Mar 1 01:19:26.230: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on FastEthernet0/1
*Mar 1 01:19:28.327: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:28.336: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:28.697: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:29.510: %AUTHMGR-5-START: Starting 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:19:29.510: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B): acct_session_id: 11
*Mar 1 01:19:29.510: RADIUS(0000000B): sending
*Mar 1 01:19:29.510: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:19:29.510: RADIUS(0000000B): Send Access-Request to 10.248.64.20:1645 id 1645/19, len 206
*Mar 1 01:19:29.510: RADIUS: authenticator 3C AE B6 01 13 26 4E 77 - 94 33 B1 40 B7 A6 06 F8
*Mar 1 01:19:29.510: RADIUS: User-Name [1] 14 "60eb699a0e0f"
*Mar 1 01:19:29.510: RADIUS: User-Password [2] 18 *
*Mar 1 01:19:29.510: RADIUS: Service-Type [6] 6 Call Check [10]
*Mar 1 01:19:29.510: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 01:19:29.510: RADIUS: Called-Station-Id [30] 19 "00-1A-6D-FE-AA-83"
*Mar 1 01:19:29.510: RADIUS: Calling-Station-Id [31] 19 "60-EB-69-9A-0E-0F"
*Mar 1 01:19:29.510: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.510: RADIUS: 2F C3 4E 65 14 AF D3 8E B9 E5 29 C3 28 13 C6 B8 [ /Ne)(]
*Mar 1 01:19:29.510: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 01:19:29.510: RADIUS: Vendor, Cisco [26] 49
*Mar 1 01:19:29.510: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AF80215000000030048C250"
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 01:19:29.510: RADIUS: NAS-Port [5] 6 50001
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 1 01:19:29.510: RADIUS: NAS-IP-Address [4] 6 10.248.2.21
*Mar 1 01:19:29.519: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:19:29.527: RADIUS: Received from id 1645/19 10.248.64.20:1645, Access-Reject, len 50
*Mar 1 01:19:29.527: RADIUS: authenticator B0 3B E5 8F 22 D1 C1 66 - F6 8F 1A 7E 88 49 AA BB
*Mar 1 01:19:29.527: RADIUS: Reply-Message [18] 12
*Mar 1 01:19:29.527: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected]
*Mar 1 01:19:29.527: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.527: RADIUS: 91 5F 64 12 73 8E 76 0C 31 DD 2B B7 2E EC 6E BA [ _dsv1+.n]
*Mar 1 01:19:29.527: RADIUS(0000000B): Received from id 1645/19
*Mar 1 01:19:29.527: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Mar 1 01:19:29.527: %MAB-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Created a client entry (0x9E000002)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Dot1x authentication started for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: %AUTHMGR-5-START: Starting 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:30.290: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received an EAP Timeout
*Mar 1 01:20:00.414: %DOT1X-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for 60eb.699a.0e0f
*Mar 1 01:20:00.414: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received Authz fail for the client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Deleting client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-5-VLANASSIGN: VLAN 99 assigned to Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.422: dot1x-ev:Delete auth client (0x9E000002) message
*Mar 1 01:20:00.422: dot1x-ev:Auth client ctx destroyed
*Mar 1 01:20:00.422: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
*Mar 1 01:20:00.733: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.733: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:20:00.733: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:20:00.733: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:20:00.733: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:20:00.741: RADIUS: Received from id 1646/9 10.248.64.20:1646, Accounting-response, len 20
swi-test-802.1x#
swi-test-802.1x#
If anyone has an idea. Another thiong to mention, hosts have a Trend OfficeScan solution for Host protection, but the same on Windows 7 and everything is OK.
Thanks for your precious help.
Pierre-LouisHi Pierre-Louis,
A couple of questions here:
-We have a voice vlan defined for the port and multi-domain config.During your tests, do you have the PC connected behind an IP Phone?
-Which authentication method do you want to go for PC/IP phone?
-Whats the IP Phone model/vendor ?
In the logs , we have an Access-Reject for the client MAB auth attempt and then failover to dot1x auth.However, I dont see a Phone MAC in the logs.
On the switch debug, we see several EAPOL packets to client 60eb.699a.0e0f, which seems a Quanta computer based on the MAC vendor.
However no EAPOL packets seen from client side.You did indicate seeing an EAPOL Start from the host PC on a sniffer trace.
-Are you sniffing on the client adapter itself or the switchport to which client is connected?
-If we have an IP phone inbetween, do you also see the EAPOL start packet from the client when sniffing on the switchport ?
Windows XP ,SP3 has some changes as compared to earlier SP versions:
http://support.microsoft.com/kb/949984
The following output would help to further isolate on problem.You will need to ensure that we have timesync between sniffer traces and debug logs for correlation.
On switch, save logging output of:
debug radius
debug dot1x all
debug authentication all
debug authentication feature mab_pm all
debug authentication feature mda all
debug authentication feature voice all
Simultaneously you can capture sniffer trace by spanning switch port interface to which Phone/PC is connected.Please don't use any filters during the sniffer capture.
After above steps please do a shut/no shut for tested port interface and replicate the problem with Win XP SP3.
Following the test, you can also obtain the output of "show auth sessions int
HTH,
Alex -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled. -
Hi,
We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
Swith port configuration looks likt this:
interface FastEthernet0/31
description 802.1x Poort
switchport access vlan xxx
switchport mode access
switchport nonegotiate
switchport voice vlan xxx
no logging event link-status
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 120
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout supp-timeout 300
dot1x max-reauth-req 3
dot1x timeout held-period 300
dot1x timeout auth-period 3
no mdix auto
storm-control broadcast level 10.00
storm-control multicast level 10.00
no cdp enable
spanning-tree portfast
service-policy input xxxx
end
Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
ISE Version: 1.2.0.899
Patch Information: 5,6,8
Help would be much appreciatedHi Jan,
Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
"authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore. -
802.1X Port Based Authentication Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server -
Mac & 802.1x Machine Authentication to Microsoft AD using PEAP
We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400 -
802.1x eap-tls machine + user authentication (wired)
Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>PayloadScope</key>
<string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
ThanksUnfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ? -
Windows 7 / 2008 duplicate static address when using 802.1x / MAB - ISE
Hi all!
ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem. Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor. This is happening with Windows 7 and Windows 2008 devices.
Windows XP clients don't get the issue.
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB. Not noticed the problem with 802.1x clients but it always occurs on MAB.
I came across a similar issue here:
http://networkingblog.vvlabs.com/2012/07/cisco-ise-duplicate-ip-address-windows-7.html
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
The switches are 3750 switches running version 12.2(58)SE2.
All I have is "count, interval, use-svi" as extra options.
Catalyst 4500 switch guide has "delay" option but no "count, interval or use-svi".
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client. This is fine for the odd server but not realistic when there will be hundreds of other clients.
Any ideas?Hi
We are doing 802.1x for clients using the Windows supplicant. For clients not using supplicants we are using MAB. So the print servers and printers use MAB.
Extract of config...
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client x server-key 7 x
client x server-key 7 x
aaa session-id common
clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip routing
no ip domain-lookup
ip device tracking
dot1x system-auth-control
dot1x critical eapol
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
description ### Dot1x with MAB fallback ###
switchport mode access
switchport voice vlan 2
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 0
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
ip http server
ip http secure-server
ip access-list extended ACL-DEFAULT
remark Deny access to new network
deny ip any 172.x.x.x 0.0.0.255 log
remark Allow everything else to other networks
permit ip any any
ip radius source-interface Vlan2
logging esm config
logging host x transport udp port 20514
logging host x transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-1
address ipv4 x auth-port 1645 acct-port 1646
key 7 x
radius server ISE-2
address ipv4 x auth-port 1645 acct-port 1646
key 7 x -
CCKM with 802.1x authentication
Hi,
Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication. Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
Regards,
Jubair.SYes, You can.
Refer this document which clearly state it
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
HTH
Rasika
**** Pls rate all useful responses *** -
802.1x authentication problem on C2960S-48TS-L with Linux clients
Hi,
Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.
It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000).
Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):
sh mac address-table interface g1/0/2 "before 802.1x authentication"
Vlan Mac Address Type Ports
2 0015.990f.60d9 STATIC Gi1/0/2
The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port
loses connection with network and doesn't get in 2 Vlan
sh mac address-table interface g1/0/2 "after 802.1x authentication"
Vlan Mac Address Type Ports
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/24 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000000023E32
Gi1/0/25 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000200024193
Gi1/0/2 (unknown) mab UNKNOWN Running 6A7D1FAF000000280011BA1A
sh dot1x interface g1/0/2 details
Dot1x Info for GigabitEthernet1/0/2
PAE = AUTHENTICATOR
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3
sh run int g1/0/2
interface GigabitEthernet1/0/2
description ## User Port ##
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 120
authentication event fail retry 0 action authorize vlan 2
authentication event server dead action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3900
authentication timer inactivity 300
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 3
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
I have tried to change authentication host-mode to multi-domain but the problem remains.
"debug dot1x all" in the attached file.
Please help me to resolve this issueI have removed port security but still have failed authentication on the port
002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
002265: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: initial state auth_initialize has enter
002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
002267: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
002270: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: idle during state auth_disconnected
002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
002274: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
002276: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
002277: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
002283: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
002288: Mar 26 16:23:26.721: dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
002293: Mar 26 16:23:26.721: dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
002301: Mar 26 16:23:26.721: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002302: Mar 26 16:23:26.721: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002306: Mar 26 16:23:29.814: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
002315: Mar 26 16:23:29.814: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002316: Mar 26 16:23:29.814: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002319: Mar 26 16:23:32.907: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
002328: Mar 26 16:23:32.913: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002329: Mar 26 16:23:32.913: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
002333: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
002337: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
002341: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client 0x6D000054 (0000.0000.0000)
002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
002352: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client -
Currently I'm implementing 802.1x on a Catalyst 4500 L3 Switch and using ACS Version 5.5.0.46.5
I'm having random problems with using MAB. I say random because when ever I do a show authentication sessions maybe 6 will fail out of 214. The phones that I'm using are Cisco 7965 IP Phones. I've read that those phones are capable of using certificates for 802.1x but it was decided to use MAB on all the phones including VIPR phones. The problem that I'm having is that after an hour some phones become un authorized which bring down that port. I've noticed that some of these phones are stand alone phones with out a computer wired to them. The computers are successfully using 802.1x and the phones that are connected to them are working with MAB.
Here are my commands for an interface that's failing after an hour
switchport access vlan 100
switchport mode access
switchport voice vlan 101
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end
When ever I do show authentication sessions this is the out put.
Interface MAC Address Method Domain Status Fg Session ID
Gi1/1 1111.1111.1111 mab VOICE Auth 0A11111111111111111111
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
17 5 dot1x
18 10 mab
21 15 webauth
But after an hour or so it becomes unauthorized. Also should I have "authentication periodic , or authentication timer reauthenticate 3600"
if those particular ports just have a phone that's using mab?
Thank You in advanceI have had this issue happen to me before but it was with deploying ISE and not ACS. To fix the issue, I had to return the following Radius attribute in my "Authorization Profile"
AVPair attribute termination-action-modifier=1
This attribute basically instructs the NAD to re-retry only the last authentication method which in your case is MAB. Otherwise, based on your config, the switch would first try dot1x and then mab.
Again, I have not done this in ACS but ISE instead, however, they are both Radius servers and both Cisco products so my feeling is that this would fix your problem.
For more info check out this doc:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000052
Thank you for rating helpful posts! -
Hello,
Anyone can help me with this?
I am trying to setup 802.1X Authentication in a HP LaserJet M9050 (MTF)
I access to the embeded Web Server in Networking>Security>802.1X Authentication:
I tryed with some values but i receive in a radius Server the request but the result is a Denyed Request, so the switch is working fine, but i think i am having a mistake in the 802.1X Athentication option in the printer.
I have searched for the exact meaning of the parameters of the configuration but i can not find anything talking details about the psrameters:
Server ID: i supuse is the IP of the Radius Server (or is the hostname? anything else?)
When is necessary to use: Require Exact Match (for the server ID)
Encryption Strength: Has 3 values one of them is Medium (RC-128-bit or 3DES-168-bit)
I think this is related to use of certificates but here is any more question: can i work or configure 802.1X without certificates for PEAP in this printer?
In case necesary of using certificates i have a Certificate Authority that has its own requester but needs to be installed in the supplicant, how can i use another CA to generate certificates related to my own CA?
What mean Authenticate Behaviour: is needed to be checked? when? (Reauthenticate on Apply) I suppuse is used when i apply the configuration, is correct?
Last question is: Is necesary to use certificates in this printer in order to use 802.1X authentication?
What type of certificates are allowed by the jetDirect certificate opcion if i load the certificate of my own CA?
Thanks in advance for your commentshttp://www.google.ca/url?q=http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c007312...
-
ISE - 802.1X - Loop not detected by spanning-tree
Hello,
I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
interface GigabitEthernet1/0/9
switchport access vlan 950
switchport mode access
switchport nonegotiate
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
Thanks,
OlivierHello Olivier
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
https://learningnetwork.cisco.com/thread/21103
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
Please rate if this helps -
MAB/802.1x and Alkatel IP Phones
Hi All
We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
Thanks
GHi Tarik,
Thanks for the reply, please find below the switch port config lines, its a 370x switch, IPbase and universalon 15.2-1.E1 image
Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
Interface gi x/y
switchport access vlan xx
switchport mode access
switchport voice vlan yy
ip access-group ACL_ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xx
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast -
I am trying to setup 802.1x on a 2960 running 12.2.53 SE2.
Here is the configuration of the interface:
interface GigabitEthernet1/0/9
switchport access vlan 205
switchport mode access
switchport nonegotiate
authentication event fail action authorize vlan 205
authentication event no-response action authorize vlan 205
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
end
show dot1x all summary
Interface PAE Client Status
Gi1/0/9 AUTH 001b.4f58.91d1 AUTHORIZED
But I am getting this message in the log when the phone tries and connect to the port
Jun 13 09:54:35.876 MDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Gi1/0/9, new MAC address (1cc1.de59.2fbc) is seen.AuditSessionID Unassigned
The host-mode multi-host command does not appear to be working. The user has allready authenticated so anything else should be able to connect to that interface..
Any suggestions?Your RADIUS server needs to send the VSA Cisco-AV-Pair "device-traffic-class=voice" so that the switch puts the switch port into the voice domain to activate the Voice VLAN from the phones. Having your phones fall to the data domain is a classic problem of the missing VSA. Additionally, you want to have the switch port fail open for voice devices to "save the phones" in a server-dead scenario as well as provide users with an option to get to the critical VLAN:
authentication event server dead action authorize vlan 205
authentication event server dead action authorize voice
If a RADIUS server fails to respond, the switch will authorize the static voice VLAN.
Don't do "authentication periodic" for with IP phones. This can cause disruptions in an existing phone conversation as during authentication, the phone will lose network access until authentication succeeds (or a server dead event).
You will also want to provide a way to get users out of the auth-fail VLAN, guest VLAN, or critical VLAN (for you and I these are the same usually, your VLAN 205) if your dead server returns, and have the switch rerun dot1x:
authentication even server alive action reinit
Good luck!
Maybe you are looking for
-
Background job error No appropriate entry found in table ADRT
Hi, I have developed a report to sent mail in background. My background job is getting cancelled in background. but it runs in foreground.I have used leave to transaction statement in my report. In my development server job cancellation occurs.but ma
-
Cant add titles or photos in a new project
Everytime i create a new project in imovie 09 and try and add a title (over black) or a photo, it doesn't add it! Help!
-
BUG: Internal compilation error, terminated with a fatal exception
After downloading the new Oracle JDeveloper 10g production, migrating all my projects, everytime I try to make/rebuild any file or package, I get the following error: Internal compilation error, terminated with a fatal exception This happens if use e
-
Getting FRM-18108 and FRM-10102 when opening a form with Form Builder
Hi, we're migrating from Forms 6i to Forms 10g. If I try to open a form in Form Builder 10g, FRM-18108 and FRM-10102 are appearing. I checked registry entries on my XP-System (FORMS90_PATH) and everything seems to be similar to the old Forms environm
-
CTI OS answer call but not play agent greeting
hello everyone i config agent greeting in UCCE now i can record the greeting and i config a DN like 60002 with PlayAgentGreeting call type,and the call type associate PlayAgentGreeting script i dial 60002 from my CTI OS client i can hear the greetin