Security

Im setting up 802.1x for wirless and wired. Here are the requirements:

Employee SSID: Domain credentials and Machine account = yes = allow on the network

BYOD = check endpoint repository if mac = Known = allow on the network

Here is what I setup for that, its working but need confirmation it looks good and that machine authenticated is setup correctly:

 

I pretty much want to do the same thing for wired. Can I setup the above with a 802.1x wired service? Any Gotchas or recommendations? How are Vlans assigned? In a wired scenario, is it common to require all windows devices to have dot1x enabled (Wired Autoconfig)? If enabling wired autoconfig, will that cfause issues when they take their laptops to outside networks not requiring 802.1x.

Wired and wirelss 802.1x, is there a specific order they need to be in?

What switch are you using ?

Cisco switches. We have already implemented aruba cisco switch 802 settings.

In terms of implementation it should be similar to Aruba switch but instead of returning an Aruba role or VLAN , just create a VLAN enforcement profile and then add the VLAN you would like to test.

If you want to allow non-802.1x devices to authenticate you can use Cisco MAB Or use fail open VLAN

Hi Kong_Down,

 

Here's a list of some of your questions:

 

1. Will enabling 802.1X on the wired cause an issue when they're not in the office.

 

No, if it's configured correctly. Make sure that "Fallback to unauthorized network access" is checked under the Authentication tab for the wired interface. If not, then yes, it will cause an issue.

 

2. Sending VLANs on a Cisco

 

Go to Configuration > Enforcement > Profiles > Add > Template > VLAN Enforcement

 

The Tunnel-Private-Group-Id will be the VLAN the user will receive on a switch. You can also send a VLAN ID / name on a Cisco switch to scale the solution.

 

Hope it helps!

 

-Mike

Hey guys, I was successful on the VLAN template for 802.1x wired users but not the non-802.1x users. My plan was to enable enpoint repository as authenticator and if the MAC = Known then allow. That doesnt seem to work. Not sure what MAB is. Instructions or recommendations? thxs much

Are you seeing requests come in?



Do you have "Allow All MAC Auth" as your authnetication method?

You will need MAB configured on the cisco switch .

 

MAB is Mac Auth Bypass and allows you to authenticate users when 802.1x fails then it will do Mac authentication , you can define the order in the interface :

interface <INTERFACE-NAME>
switchport mode access
authentication event no-response action authorize vlan <GUEST-VLANID>
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
spanning-tree portfast

 

So MAB setting are all setup correctly. Im finally seeing logs. Again, 802.1x works fine. Its the non-802.1x clients im trying to configure. The non-802.1x client failed attempts are showing as "Failed to classify service" see my attached setting. Let me know what I need to change. Thsi service is ahndling both 802.1x and non-802.1x request on wired. Maybe I need to setup a seperate non-802.1x service? 

You need two different services. One for MAC-auth and one for 802.1X.

Can you provide instruction on setting this up for wired mac auth non 802.1x please

Jeremy Rouse
Technical Specialist II, Bird Rock Systems, Inc.
Phone: (858) 346-1384

"We Build Rock Solid Solutions"
www.birdrockusa.com

There is a device MAC authentication service template

 

Have you considered working with an Aruba partner?

What I am trying to do, Im guessing is fairly easy for CPPM experts. MAC device template wont work. I have collected all my MAC addresses in the endpoint repository. I have set the authorzed ones to known. It works for wireless. I need to get it to work for wired. basically, user plugs non-802.1x computer/printer/etc into a wired port, it calles CPPM for MAC authentication/authorization and checks the end user repository for MAC equals Known and allows on the network. Any instuctions are helpful - please 

Like cappalli suggested you just need to create a new MAC AUTH template and then add the Endpoint DB as an authorization source and finally add in your logic that if the device status is known to assign the VLAN enforcement profile

 

 

Thanks. I figured out that mac auth is not difficult. The issue appears I'm not seeing request hit cppm. I'm thinking it's the 2960 switch. I have the mab setup per your recommendations but still no joy.

Please export and attach the access tracker request. 


Thanks, 
Tim

See attached. Again the 802.1x wired works. MAB does not. Looks like MAB requests are getting denied by 802.1x responses. Do I need to create a seperate service for the non-802.1x requests? 

attached - thxs 

Kong_Down,

 

Click on "Reorder" to move your mac authentication service to the top.  It looks like your mac authentication is hitting your 802.1x service.  Your mac authentication service is more specific and needs to be at the top to check to make sure the "connection client mac address = username". 

this is resolved thxs

Do you have a MAC-auth service? Can you post a screenshot of it?