06-27-2013 11:48 AM
I'm comparing some of the functionality between Catalyst switches and Mobility switches, and I need to know if it's possible to fail through from 802.1X, to MAB, to Captive Portal, with a Mobility switch? I'm pretty sure failing from 802.1X to MAB is trivial, but I'm not sure about captive portal. The reason I ask is that I'd like to have a single port configuration for all edge ports that can serve every device/user connecting, whether it's a corporate laptop, VoIP phone, printer, BYOD device, guest, etc. I don't want to have to change port profiles on a port if people move around.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Solved! Go to Solution.
06-27-2013 04:31 PM
The Mobility Access Switch can support 802.1x, MAC Auth and captive portal at the same time on the same physical port. There are a few ways to configure it. The way I would configure it is that the AAA Profile is configured with MAC-Auth and Dot1x enabled with an initial role of denyall. The denyall user role will prevent the client from getting an IP address until it passes authentication which is useful to ensure that even if you switch VLANs on the client based upon authentication, it doesn't have the IP from the initial role VLAN even after you changed VLANs. You would then write a rule on your Radius server that if the MAC is unknown then send it to a user-role on the MAS that is configured with a Captive Portal.
Alternatively, if your Radius server doesn't allow this type of policy definition, you could have the initial role include a captive portal however the issue you may run into is with the IP address assignment as mentioned above. If dot1x for example is delayed, the client may get the IP address from the initial role only to re-assigned to a different VLAN where it "should" re-DHCP to get the proper IP address. One way to manage this is to use a short DHCP lease timer on the vlan used by the initial role.