EAP/802.1x/DHCP wonkieness

I have a WLC 5508 on the 6.0 code. I am running PEAP. Users login with the certificate staged and are coming up with 169.254 addresses. From the controller however, I see them at valid address from the virtual interface I expect (10.1.27.x). On my MS Radius server, I see successful authentication. Attached is what I see at the controller. What am I missing? Why would the WLC see it as having an IP, but the client (have seen this on WinXP, Win7, Vista) show a bailout IP?

This is a bump.
I am having the same issue. here is my configuration / setup
Here is my situation. I am running a new WLC 5508 with 6.0x code and the controller is housed at the data center, the remote building has a high speed point to point link. I have no issues with the LAPs connecting but clients are not getting IP addresses from the local DHCP server. I run the WLC as DHCP Proxy.
I am running DHCP server running on the local 3560 switch. Also I am not using option 43 on the DHCP server to provide the controllers address I am using DNS which resolves CISCO-CAPWAP-CONTROLER to the management address of the controller.
The LAP has a static address 10.100.6.20
The switchport that the LAP is plugged into is configured:
switchport mode access
switchport access vlan 106
switchport voice vlan 108
spanning-tree portfast
interface vlan 106
10.100.6.1 255.255.255.0
ip dhcp pool Users
network 10.100.6.0 255.255.255.0
dns-server
default-router 10.100.6.1
From what I understand the client connects and the WLAN which then the controllers virtual IP in my case 1.1.1.1 tells the local DHCP server that a client is looking for DHCP and then provides the client with IP. I have this working in other building with the exact same configuration as above except that I am using local DNS server to lookup the name of the Controller Management IP but I cant understand why that would matter.
I have run debug messages on the switch and don't even see the DHCP Offer messages. I have verified that wired clients are getting DHCP from the switch.

Similar Messages

Wireless EAP / 802.1x with MS NAP

Hi,
I'm trying to configure 802.1x on a 1131AG AP using MS NAP as a radius server.
Using a switch everything works fine with EAPOL and the clients authenticate the way they should. But as soon as I start using the AP and clients try to authenticate, the AP shows "failed to authenticate" + clients MAC address.
I've attached both configs:
The switch config, on which Fa0/6 is used to authenticate a connected client, and the AP config which doesnt work and probably has something missing.
The clients should authenticate against the radius server 10.10.250.111 and, according their health status, put in vlan 1 (healty) or vlan 2 (unhealthy).
I would like to use WPA2 as an encryption method.

Hi,
Let's clarify all possibilities and you can chose one from there :-)
1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).
The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.
2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.
3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.
Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.
I hope this clarifies ?
Nicolas
===
please rate answers that you find useful

TC connects to PC (802.11n) DHCP IP assigned but no DNS lookups

Replaced my Linksys with a Time Capsule. Our iMac works fine. Our MBP works fine.
Just recently our room mates PC is not resolving domain names. Her 802.11n USB wireless connection had been working fine. But now when she connects she is assigned an address via DHCP and her DNS is registered as the TC ( as is ours in Mac land). But her PC is unable to resolve any DNS names.
I hard coded the DNS server of our ISP in her windows configuration and this work-around is working for her. But I would like to understand what went awry.
Ideas?
Warren

One thing I forgot to add. The TC assigns it's own address (10.0.1.1) to Mac's and PC's alike. But in the case of the PC is in unable to resolve domain names...
W

Open and Network-EAP authentication - difference in security?

As far as security goes, and assuming Radius authentication wil actually authenticate and allow users access to the wireless network (or not), it there any difference (once again, as far as security goes), between Open Authentication and Network-EAP as described below?
In any EAP/802.1x-based authentication method, you may question what the differences are between Network-EAP and Open authentication with EAP. These items refer to values in the Authentication Algorithm field in the headers of management and association packets. Most manufacturers of wireless clients set this field at the value 0 (Open authentication), and then signal their desire to do EAP authentication later in the association process. Cisco sets the value differently, from the start of association with the Network EAP flag.

1. Join process - comparable to connecting a cable in the wired network world. Usually "OPEN".2. Authentication - this verifies the client is who they claim they are because they possess a certificate (EAP-TLS), know the password or a PSK.3. Encryption with TKIP or AES - this is about protecting data as it is transmitted through the air AFTER authentication.
You are correct.
What confuses me when attempting to configure the Aironet I'm working with is the difference in terminology with the familiar choices I had in Linksys access points, something like this:- WEP- WPA- WPA-Enterprise- WPA2- WPA2-EnterpriseI thought WPA-Enterprise has to do with Radius and indeed I was able to create a test network in which a Windows XP laptop could connect via a Linksys access point, authenticating with EAP-TLS, with WPA-Enterprise selected on the AP. The Windows 2008 server was both a certificate authority, a radius (NPS) server and a domain controller.With the Aironet, I'm not sure what the equivalent choices should be, because, if you look at the link in my last post, there is a larger selection: WEP 40 bit, WEP 128 bit, TKIP, AES, combinations of what precedes and no reference to WPA or WPA2. I'm guessing TKIP = WPA and AES = WPA2.And while I can select "EAP" in the Express Security Setup tab, I cannot see where I would opt for EAP-TLS rather than PEAP or EAP-TTLS and so forth.I'm going to take a look at your blog now and see if that doesn't enlighten me further.
You are on track my friend keep the thinking going .... you are very close!
Some more foundation for you ...
WPA - Is PSK with TKIP
WPA2 - Is PSK with AES
WPA Enterprsie - EAP- ??? with TKIP
WAP2 Enterprsie - EAP - ??? with AES
??? = Your selected EAP type
Now, why dont you have to configure EAP type on the AP? Great question, lets break this down.
1. The AP or WLC for that matter doesnt care what EAP type you use . Why you ask?
When you configure 802.1X, there are 2 virtual ports . These are virtual and you do nothing to configure these. Once you connect to an AP and EAP starts, the ap BLOCKS ALL TRAFFIC except for EAPOL traffic. This is the ONLY traffic allowed past the until the AP / WLC receives a RADIUS SUCCESS. Once the AP/WLC sees this radius success it then switches virtually over to the controlled port and allows ALL your traffic to pass.
2. With that being said, your client is only passing traffic through the ap and wlc. The ap / wlc doesnt care what EAP you are using. Your client is talking directly to the radius server at that point. The AP/WLC at this point is only a pass through, nothing more.
Does that help ?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

Update with EAP SIM

Free Mobile, provider in France, uses now Eap-sim on his network Free Wifi!
The request of this compatibility will be now important from french customers!
I see that Xperia S has this Eap-sim while it is absent in Android 4!
So it is Sony who has added it!
On my Xperia Mini St15, I have EAP 802.1x but not SIM
Can we expect it on our future updates (Android 4 for 2011 phones)? I hope...:smileywink:
Regards

It is very true that Xperia S support this. Other phones do however not support it at this point and I have no information regarding future changes for these phones.
Since Xperia S has it I guess it's not impossible but I do not know if there are any plans for the other phones to get it or not. We have to wait and see I guess. I will try to remember to post again if I get any new info on this.
What do you think about this forum? Let us know by doing this short survey.

802.1x for server authentication

Hello everybody,
this the first time I write on this forum, so please excuse me if I do something wrong.
My objective is to authenticate servers in my customer's server farm, so that none can put an unauthorised server in place.
I am thinking about using 802.1x machine authentication to reach my aim.
Does anybody has experience about similar situations?
The server platforms are:
- Windows 2k Server
- Windows 2k Advanced Server
- Linux Redhat
- IBM AIX
Which are the applicable EAP methods for each platform?
Has anybody experienced the use of 802.1x client such as Meetinghouse or Funk Odissey on the mentioned platforms?
Thank you in advance.
Kind regards,
Barbara

EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication
The support that 802.1X provides for Extensible Authentication Protocol (EAP) types allows you to choose from several different authentication methods for wireless clients and servers.
EAP
802.1X uses EAP for message exchange during the authentication process. With EAP, an arbitrary authentication method, such as certificates, smart cards, or credentials, is used. EAP allows for an open-ended conversation between an EAP client (such as a wireless computer) and an EAP server (such as an Internet Authentication Service (IAS) server). The conversation consists of requests for authentication information by the server and responses by the client. In order for authentication to be successful, the client and the server must use the same authentication method.
EAP-TLS
EAP-Transport Layer Security (TLS) is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. If you want to use certificates or smart cards for user and client computer authentication, you must use EAP-TLS or, for enhanced security, Protected EAP (PEAP) with EAP-TLS.
EAP-MS-CHAP v2
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a mutual authentication method that supports password-based user or computer authentication. During the EAP-MS-CHAP v2 authentication process, both the server and client must prove that they have knowledge of the user's password in order for authentication to succeed. With EAP-MS-CHAP v2, after successful authentication, users can change their passwords, and they are notified when their passwords expire.
EAP-MS-CHAP v2 is available only with PEAP.
PEAP
PEAP is an authentication method that uses TLS to enhance the security of other EAP authentication protocols. PEAP provides the following benefits: an encryption channel to protect EAP methods running within PEAP, dynamic keying material generated from TLS, fast reconnect (the ability to reconnect to a wireless access point by using cached session keys, which allows for quick roaming between wireless access points), and server authentication that can be used to protect against the deployment of unauthorized wireless access points.

Prevent SRW2008P from sending EAP Success message on connect

Hello,
I have a SRW2008P switch which is sending a EAP Success message when a device is connected to it.
How can I disable this? EAP / 802.1x is golobaly disabled on the switch.
I need to connect a cable modem to the switch in a seperate VLAN. The cable modem is configured by the provider only to allow one client. So as soon as I connect the cable modem to the switch the switch sends out an EAP Success message to it and the cable modem locks the MAC address of the switch. The router behind the swich can there for not connect to the modem as the modem has already locked the MAC of the switch instead of locking the MAC of the router.
I have attached a picture of a wireshark capture while connecting my notebook to the switch.
Thank you, Artem

Jarnathan,
The are several tricks and methods to help with this problem, but they do not involve Rules.
In the Mail Preferences/Composing you can check a box beside Mark addresses not in this domain, and type in your "somebigcompany.com" domain name. In this mode any address not in that domain will be marked in red, including your From address displayed in the Compose window as you draft.
Secondly, in the same Composing preferences, your can select one address as the default for all New messages (but this will not apply to Reply or Forward.
However, instead of selecting one default New message address, you can click to turn the small black triangle downward, thus expanding your Inbox to show the Inbox of each account, and work in one account at-a-time. In this mode, all new messages will be defaulted to be from the address of that respective Inbox.
Ernie

DHCP Requests Starts Failing

I have a school with 550 iPads. We are using two 5508 WLCs sharing the number of APs. The DHCP server and the default gateway for the network are on the firewall. The clients are able to get a DCHP. After some time, maybe about longer than a month, the clients are no longer able to get DCHP addresses. A reboot of both controllers takes care of this. Presently we are runing 7.2.110 OS. I am going to upgrade to the latest 7.4.100, and reload tonight.
Any insight you could give me for this effort, would be great.

Thanks. I am gettings these arp errors
*DHCP Proxy DTL Recv Task: Sep 19 17:44:24.507: %DTL-3-ARP_CLIENT_IP_DUPLICATED: dtl_arp.c:1806 ARP entry overwrite, conflict detected via ARP Request from client with MAC-ID ac:3c:0b:07:15:d1 and IP Address 172.18.1.156, Old client MAC-ID was 84:29:99:
*DHCP Proxy DTL Recv Task: Sep 19 17:44:23.998: %DTL-3-ARP_CLIENT_IP_DUPLICATED: dtl_arp.c:1806 ARP entry overwrite, conflict detected via ARP Request from client with MAC-ID 8c:70:5a:74:86:cc and IP Address 172.18.5.76, Old client MAC-ID was 00:23:14:7
*apfReceiveTask: Sep 19 17:44:22.794: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
*DHCP Proxy DTL Recv Task: Sep 19 17:44:22.540: %DTL-3-ARP_CLIENT_IP_DUPLICATED: dtl_arp.c:1806 ARP entry overwrite, conflict detected via ARP Request from client with MAC-ID ac:3c:0b:09:b6:b8 and IP Address 172.18.1.31, Old client MAC-ID was 84:29:99:1
*DHCP Proxy DTL Recv Task: Sep 19 17:44:22.534: %DTL-3-ARP_CLIENT_IP_DUPLICATED: dtl_arp.c:1806 ARP entry overwrite, conflict detected via ARP Request from client with MAC-ID 3c:e0:72:cd:19:a0 and IP Address 172.18.0.135, Old client MAC-ID was 84:29:99:
Any idea how to clear them.I have restarted Windows DHCP server

Issues with MSCHAPV2

Hey Arch forum.
I really wanted to avoid having to ask a question on the forum, and try and fix myself, but I'm clueless on how to go about with this one. I've been using Arch for a couple of months now, and this issue has only really started getting on my nerves.
I've got my system set up mostly the way I want it now. I really like Arch Linux. When I wake my laptop up from hibernation, I have to manually connect to my school's network again. Every time. When I boot it up however, it automaticly opens the login menu and all I have to do is hit enter. When I'm home and wake it up from hibernation it automaticly connects to wifi though. I have no clue what is causing it. I use NetworkManager and my laptops an ASUS KV55M. It worked fine when this computer ran Windows for a short period. Any suggestions on how to tackle this?

nmcli c list uuid fd50876f-55ac-4a6e-99b3-057cb01b2f27
connection.id: School
connection.uuid: fd50876f-55ac-4a6e-99b3-057cb01b2f27
connection.type: 802-11-wireless
connection.autoconnect: yes
connection.timestamp: 1396513658
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.secondaries:
802-1x.eap: peap
802-1x.identity: xxxxxxx
802-1x.anonymous-identity: --
802-1x.pac-file: --
802-1x.ca-cert: /etc/ssl/certs/Security_Communication_Root_CA.pem
802-1x.ca-path: --
802-1x.subject-match: --
802-1x.altsubject-matches:
802-1x.client-cert: --
802-1x.phase1-peapver: --
802-1x.phase1-peaplabel: --
802-1x.phase1-fast-provisioning: --
802-1x.phase2-auth: mschapv2
802-1x.phase2-autheap: --
802-1x.phase2-ca-cert: --
802-1x.phase2-ca-path: --
802-1x.phase2-subject-match: --
802-1x.phase2-altsubject-matches:
802-1x.phase2-client-cert: --
802-1x.password: --
802-1x.password-flags: 1 (agent-owned)
802-1x.password-raw: --
802-1x.password-raw-flags: 0 (none)
802-1x.private-key: --
802-1x.private-key-password: --
802-1x.private-key-password-flags: 0 (none)
802-1x.phase2-private-key: --
802-1x.phase2-private-key-password: --
802-1x.phase2-private-key-password-flags:0 (none)
802-1x.pin: --
802-1x.pin-flags: 0 (none)
802-1x.system-ca-certs: yes
802-11-wireless.ssid: 'xxxxxxxxxxxxx'
802-11-wireless.mode: infrastructure
802-11-wireless.band: --
802-11-wireless.channel: 0
802-11-wireless.bssid: --
802-11-wireless.rate: 0
802-11-wireless.tx-power: 0
802-11-wireless.mac-address: Here goes the wireless.mac-adress
802-11-wireless.cloned-mac-address: --
802-11-wireless.mac-address-blacklist:
802-11-wireless.mtu: auto
802-11-wireless.seen-bssids: Here goes the wireless.seen.bssids
802-11-wireless.security: 802-11-wireless-security
802-11-wireless.hidden: no
802-11-wireless-security.key-mgmt: wpa-eap
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg: --
802-11-wireless-security.proto:
802-11-wireless-security.pairwise:
802-11-wireless-security.group:
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0: --
802-11-wireless-security.wep-key1: --
802-11-wireless-security.wep-key2: --
802-11-wireless-security.wep-key3: --
802-11-wireless-security.wep-key-flags: 0 (none)
802-11-wireless-security.wep-key-type: 0 (unknown)
802-11-wireless-security.psk: --
802-11-wireless-security.psk-flags: 0 (none)
802-11-wireless-security.leap-password: --
802-11-wireless-security.leap-password-flags:0 (none)
ipv4.method: auto
ipv4.dns:
ipv4.dns-search:
ipv4.addresses:
ipv4.routes:
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv6.method: auto
ipv6.dns:
ipv6.dns-search:
ipv6.addresses:
ipv6.routes:
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.ip6-privacy: -1 (unknown)
ipv6.dhcp-hostname: --
The CA Certificate I used was random, as I remember from my first Linux times I couldn't connect without using a CA-Certificate (they are not required).
Currently not at home, so I will post the other one later.

PEAP authentication problems

Hi,
I configured a Cisco AP 1200 IOS with PEAP.
Hereby the AP Config:
aaa new-model
aaa group server radius rad_eap
server 192.168.4.58 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 arp-cache optional
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 184 key 1 size 128bit 7 xxxx transmit-key
encryption vlan 184 mode wep mandatory mic key-hash
encryption key 1 size 128bit 7 xxxxx transmit-key
encryption mode wep mandatory
broadcast-key vlan 184 change 3600
ssid test
vlan 184
authentication open eap eap_methods
authentication network-eap eap_methods
world-mode
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
dot1x reauth-period 1800
dot1x client-timeout 1800
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.184
encapsulation dot1Q 184
no ip route-cache
bridge-group 184
bridge-group 184 subscriber-loop-control
bridge-group 184 block-unknown-source
no bridge-group 184 source-learning
no bridge-group 184 unicast-flooding
bridge-group 184 spanning-disabled
interface FastEthernet0
no ip address
ip accounting output-packets
no ip route-cache
speed 100
full-duplex
interface FastEthernet0.3
encapsulation dot1Q 3 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.184
encapsulation dot1Q 184
no ip route-cache
bridge-group 184
no bridge-group 184 source-learning
bridge-group 184 spanning-disabled
interface BVI1
ip address 192.168.4.98 255.255.254.0
ip accounting output-packets
no ip route-cache
ip default-gateway 192.168.4.3
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
radius-server local
radius-server host 192.168.4.58 auth-port 1645 acct-port xxxx key xxx
radius-server timeout 120
radius-server deadtime 1200
radius-server domain-stripping
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
bridge 184 protocol ieee
W're using a Cisco Wireless client adaptor with the latest ACU version fully installed and configured my client for PEAP. I also configured the Windows XP network settings appropriately.
The RADIUS we are using is a Cisco ACS 3.2.1. We used a Microsoft certificate for the server that we issued ourselves.
Without configuring security, the client can associate with the AP, but when we enable PEAP and I open the ACU status screan, the client associates with the AP, but canot authenticate successfully. Status hangs on 'autenticating'. I don't see any traffic to the RADIUS server.
Who can help us?
Thanks in advance!

I just opened a TAC case on this one whereby I have already installed the latest client, made sure PEAP is installed, had the latest WAP image, network security setup on the ACU as per the documentation to select the "host base EAP(802.1x) and select dynamic wep, then turned on debug options on the WAP to see the communication between the client and the WAP:
debug radius authentication
debug dot11 aaa dot1x process
debug dot11 aaa dot1x state-machine
Guess what... there is no communication between the client and the wap for authentication. You can see association and even get an ip address from dhcp but...
The advise as per the TAC engineer is to put in a Static WEP key for now and you should get the communication going. They have already noticed this on some calls and have not seen a bug case # assigned to it. They will be working a fix on the next release. Once you do that you should see the Raduis and 802.1x communication going on.
After doing this I can then concentrate on why I am not getting PEAP authenticated on our Funk Radius EE Server v4.7.
The other thing...remove the "authentication network-eap eap_methods" when you are doing PEAP. You enable that for LEAP so you have to create a different vlan for that.
I use 1812/1813 for the radius server.
:-) Ed

ISE Deployment - Your Feedback

Hi,
I am currently evaluating two NAC systems: ISE and Bradford and I wanted to see if anyone has had the opportunity to see both systems. Although we are a Cisco shop, I am looking for simplicity due to staff shortage.
In the event I decide to go with ISE, I would like to hear your personal challenges with the product during the deployment phase and those little things I need to keep in mind to avoid future headaches.
Thanks in advance !

Hello,
I have one done (not finished) one deployment with 150 clients. And one guy I know is doing a very large scale deployment.
To me it's very interesting but very challenging. I really under estimated the time it would take. I did this project because my client wanted it. From a technical point of view it's very positive for me, from a financial point of view it's really bad as I've spent a lot of time.
The client is so far very happy although some implemented features are missing.
I would recommend to start with Wifi only and once you understand ISE and know how to troubleshoot make Wire to work. I have not tried remote access though.
Some hints:
- You're full Cisco or you have other vendors (I'm thinking about IP Phones but the question can also be asked for switches and wlc)
- You have a PKI or not.
- You have devices (endpoints) and they are not 802.1X capable. All of us have, but the important is to list them.
It's also difficult because it involves a lot of components and protocols:
- Components: The radius server (ISE), the NAS (Switch or WLC), the endpoints (PC, APs, printers), the host (in my case VMWare)
- Protocols: EAP protocols, Snmp/DHCP for profiling, Wifi etc.
So I wouldn't see a guy with a little experience in networking dealing with something like this. I was more than familiar with many of these things. And before ISE I also tried Freeradius and made is work with Wifi and Vlan assignement and a LDAP server.
If by chance I make the whole thing to work I need to give the skills to someone else to do a troubleshooting.
So this is my experience so far. Some other have much more experience of course.

How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen Hristov

Hi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier

N80 Firmware fixes ?

Hi,
Does anybody know when a bugfixed firmware for N80 is available ?
For bugfixed I mean so that WiFi EAP-LEAP and PEAP works with hidden SSIDs.
I still lack any info about users who succesfully runs a N80 with EAP-PEAP MSCHAPv2 or EAP-LEAP.

I posted several posts previously on the subject:
/discussions/board/message?board.id=connectivity&message.id=5731#M5731
In short terms: WiFi client on the N80 doesnt work at all with EAP as the DHCP part that supposes to start after a succesfully user authentication does not start !
I have only seen this on N80, as other phones works in the same Wifi environment. Fx. the N91 works.

Ise inline Posture

..

Understanding the Role of Inline Posture
An Inline Posture node is a gatekeeper that enforces access policies and handles change of authorization (CoA) requests. An Inline Posture node is positioned behind the network access devices on your network that are unable to accommodate CoA, such as wireless LAN controllers (WLC) and virtual private network (VPN) devices.
After the initial authentication of a client (using EAP/802.1x and RADIUS), the client must still go through posture assessment. The posture assessment process determines whether the client should be restricted, denied, or allowed full access to the network. When a client accesses the network through a WLC or VPN device, Inline Posture is responsible for the policy enforcement and CoA that these devices are unable to accommodate.
Inline Posture Policy Enforcement
Inline Posture uses RADIUS proxy and URL redirect capabilities in the control plane to manage data plane traffic for endpoints. As a RADIUS proxy, Inline Posture is able to tap into RADIUS sessions between network access devices (NADs) and RADIUS servers. NADs can open full gate to client traffic. However, Inline Posture opens only enough to allow limited traffic from clients. The restricted bandwidth allows clients the ability to have an agent provisioned, have posture assessed, and have remediation done. This restriction is accomplished by downloading and installing DACLs that are tailored for specific client flow.
Upon full compliance, a CoA is sent to the Inline Posture node by the Policy Service ISE node, and full gate is opened by the Inline Posture node for the compliant client endpoint. The RADIUS proxy downloads the full-access DACL, installs it, and associates the client IP address to it. The installed DACL can be common for a number of user groups, so that duplicate downloads are not necessary as long as the DACL content does not change at the Cisco ISE servers.
The Inline Posture policy enforcement flow illustrated in the figure above follows these steps:
1. The endpoint initiates a .1X connection to the wireless network.
2. The WLC, which is a NAD, sends a RADIUS Access-Request message to the RADIUS server (usually the Policy Service ISE node).
3. Inline Posture node, acting as a RADIUS proxy, relays the Access-Request message to the RADIUS server.
4. After authenticating the user, the RADIUS server sends a RADIUS Access-Accept message back to the Inline Posture node.
There can be a number of RADIUS transactions between the Endpoint, WLC, Inline Posture node, and the Cisco ISE RADIUS server before the Access-Accept message is sent. The process described in this example has been simplified for the sake of brevity.
5. The Inline Posture node passes the Access-Accept message to the WLC, which in turn authorizes the endpoint access, in accordance with the profile that accompanied the message.
6. The proxied Access-Accept message triggers Inline Posture to send an Authorization-Only request to the Policy Service ISE node, to retrieve the profile for the session.
7. The Policy Service ISE node returns an Access-Accept message, along with the necessary Inline Posture profile.
8. If the access control list (ACL) that is defined in the profile is not already available on the Inline Posture node, Inline Posture downloads it from the Policy Service ISE node using a RADIUS request (to the Cisco ISE RADIUS server).
9. The Cisco ISE RADIUS server sends the complete ACL in response. It is then installed in the Inline Posture data plane so that endpoint traffic passes through it.
There may be a number of transactions before the complete ACL is downloaded, especially if the ACL is too large for one transaction.
10. As the endpoint traffic arrives at the WLC, the WLC sends out a RADIUS Accounting-Start message for the session to the Inline Posture node.
The actual data traffic from the endpoint may arrive at the Inline Posture untrusted side before the Accounting-Start message is received by the Inline Posture node. Upon receiving the RADIUS Accounting-Start message, the Inline Posture node learns the IP address of the endpoint involved in the session and associates the endpoint with the ACL (downloaded and installed earlier in the session). The initial profile for this client endpoint could be restrictive, to posture the client before being given full access.
11. Assuming the restrictive ACL allows only access to Cisco ISE servers, the endpoint is only allowed actions such as agent downloading and posture assessment over the data plane.
12. If the client endpoint is posture compliant (as part of the restricted communication with Cisco ISE services earlier), the Policy Service ISE node initiates a RADIUS Change of Authorization (CoA) with the new profile. Hence, a new ACL is applied at the Inline Posture node for the session. The new ACL is installed immediately and applied to the endpoint traffic.
13. The endpoint is then capable of full access to the enterprise network, as a result of the new profile that was applied to Inline Posture.
A RADIUS stop message for a given session that is issued from the WLC, resets the corresponding endpoint access at the Inline Posture node.
Best regards,
Mantej Mangat

Wireless hreap solution.

Hello
My organization is planning to implement wireless solution. We will have 40 APs.
i want wireless traffic not to go through controller . Can i use hreap to accomplish this? or is there any other solution?
If i use only one controller to manage this APs, what will happen if controller breaks down? will the wireless lan continue to work without controller? or do i need second conttroler ?
Thanks in Advance

a quick answer would be, it depends on your deployment.
If users in remote offices need a radius server to authenticate to (if you use EAP/802.1x, i.e. WPA/WPA2 Enterprise) then you either need to make the traffic go to the controller OR install radius server in every remote office.
If you use something like WPA-PSK then APs can work fine if the connection to the controller lost.
This was a quick answer.
For more detailed answer I think you need to go to read the HREAP deployment guide. You'll find answers to most of your questions.
Here is the link: http://tiny.cc/0wd4pw
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"

EAP/802.1x/DHCP wonkieness

Similar Messages

Maybe you are looking for