Security

Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300.  I have added the config for dot1x authentication.  When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.  

I have verified the config for the switch on the Clearpass server is correct.  I have checked my config on the switch so many times.  I deleted the config and re-added with no change.   Here is my switch config:

Global config

aaa group server radius RASERV
server name RASERV-1
server name RASERV-6

aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV

aaa server radius dynamic-author
 client 10.15.64.218 server-key Aruba123!
 client 10.8.8.84 server-key Aruba123!
 port 3799
 auth-type all

radius server RASERV-1
 address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
 key Aruba123!

radius server RASERV-6
 address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
 key Aruba123!

Port config

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10


Do any of you smart people have any suggestions?  Also I have searched everything I can and have not found where anyone else has posted same issue.

Thanks in advance

------------------------------
Michael McNeely
------------------------------

Have you looked at the ClearPass wired authentication guide here?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 20, 2022 06:09 PM
From: Michael McNeely
Subject: Clearpass Cisco 9300 Client timeout

Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300.  I have added the config for dot1x authentication.  When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.  

I have verified the config for the switch on the Clearpass server is correct.  I have checked my config on the switch so many times.  I deleted the config and re-added with no change.   Here is my switch config:

Global config

aaa group server radius RASERV
server name RASERV-1
server name RASERV-6

aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV

aaa server radius dynamic-author
 client 10.15.64.218 server-key Aruba123!
 client 10.8.8.84 server-key Aruba123!
 port 3799
 auth-type all

radius server RASERV-1
 address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
 key Aruba123!

radius server RASERV-6
 address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
 key Aruba123!

Port config

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10


Do any of you smart people have any suggestions?  Also I have searched everything I can and have not found where anyone else has posted same issue.

Thanks in advance

------------------------------
Michael McNeely
------------------------------

I have the following config running on a 9300 with no issues:

dot1x system-auth-control
ip dhcp snooping
!
aaa group server radius CLEARPASS_radius
 server name CPPM1
!
aaa authentication dot1x default group CLEARPASS_radius
aaa authorization network default group CLEARPASS_radius
aaa accounting dot1x default start-stop group CLEARPASS_radius
!
aaa server radius dynamic-author
 client [cppm1 ip] server-key [key]
 port 3799
 auth-type all
!
ip radius source-interface Vlan601
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server source-ports extended
!
radius server CPPM1
 address ipv4 [cppm1 ip] auth-port 1812 acct-port 1813
 key [key]
!
interface GigabitEthernet1/0/20
 switchport access vlan 101
 switchport mode access
 no logging event link-status
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-req 3
 dot1x max-reauth-req 3
 spanning-tree portfast
​

------------------------------
Evan Fisher
------------------------------

Original Message:
Sent: Mar 20, 2022 06:09 PM
From: Michael McNeely
Subject: Clearpass Cisco 9300 Client timeout

Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300.  I have added the config for dot1x authentication.  When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.  

I have verified the config for the switch on the Clearpass server is correct.  I have checked my config on the switch so many times.  I deleted the config and re-added with no change.   Here is my switch config:

Global config

aaa group server radius RASERV
server name RASERV-1
server name RASERV-6

aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV

aaa server radius dynamic-author
 client 10.15.64.218 server-key Aruba123!
 client 10.8.8.84 server-key Aruba123!
 port 3799
 auth-type all

radius server RASERV-1
 address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
 key Aruba123!

radius server RASERV-6
 address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
 key Aruba123!

Port config

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10


Do any of you smart people have any suggestions?  Also I have searched everything I can and have not found where anyone else has posted same issue.

Thanks in advance

------------------------------
Michael McNeely
------------------------------

Hi,

On the C9x00 Series, you need to create Policy Maps and assign them to the port. Here is an example of what we have deployed:

policy-map type control subscriber CLEARPASS_POLICY_MAP
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

Then, in the interface, the configuration looks something like this:
interface GigabitEthernet1/0/1
description None
switchport access vlan 999
switchport mode access
switchport voice vlan XYZ
device-tracking attach-policy policy-og
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber CLEARPASS_POLICY_MAP

------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |
------------------------------

Original Message:
Sent: Mar 20, 2022 06:09 PM
From: Michael McNeely
Subject: Clearpass Cisco 9300 Client timeout

Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300.  I have added the config for dot1x authentication.  When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.  

I have verified the config for the switch on the Clearpass server is correct.  I have checked my config on the switch so many times.  I deleted the config and re-added with no change.   Here is my switch config:

Global config

aaa group server radius RASERV
server name RASERV-1
server name RASERV-6

aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV

aaa server radius dynamic-author
 client 10.15.64.218 server-key Aruba123!
 client 10.8.8.84 server-key Aruba123!
 port 3799
 auth-type all

radius server RASERV-1
 address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
 key Aruba123!

radius server RASERV-6
 address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
 key Aruba123!

Port config

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10


Do any of you smart people have any suggestions?  Also I have searched everything I can and have not found where anyone else has posted same issue.

Thanks in advance

------------------------------
Michael McNeely
------------------------------

We have 9300 switches running without issue, didn't have to create any policy maps. I think your missing "dot1x system-auth-control" in your configuration snippet you provided. Is that on the switch?

The other thing would be checking the end device connecting to the port, that device needs wired 802.1X enabled as well for it to pass credentials.

------------------------------
Michael Haring
------------------------------

Original Message:
Sent: Apr 11, 2022 02:38 AM
From: Shpat Berzati
Subject: Clearpass Cisco 9300 Client timeout

Hi,

On the C9x00 Series, you need to create Policy Maps and assign them to the port. Here is an example of what we have deployed:

policy-map type control subscriber CLEARPASS_POLICY_MAP
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

Then, in the interface, the configuration looks something like this:
interface GigabitEthernet1/0/1
description None
switchport access vlan 999
switchport mode access
switchport voice vlan XYZ
device-tracking attach-policy policy-og
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber CLEARPASS_POLICY_MAP

------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |

Original Message:
Sent: Mar 20, 2022 06:09 PM
From: Michael McNeely
Subject: Clearpass Cisco 9300 Client timeout

Over the last 2 days, I swapped out an older Cisco switch with a new Cisco 9300.  I have added the config for dot1x authentication.  When I add the config to the switch ports for client auth, I am getting authentication failed due to client timeout, no response from the client.  

I have verified the config for the switch on the Clearpass server is correct.  I have checked my config on the switch so many times.  I deleted the config and re-added with no change.   Here is my switch config:

Global config

aaa group server radius RASERV
server name RASERV-1
server name RASERV-6

aaa authentication dot1x default group RASERV
aaa authorization network default group RASERV
aaa accounting dot1x default start-stop group RASERV

aaa server radius dynamic-author
 client 10.15.64.218 server-key Aruba123!
 client 10.8.8.84 server-key Aruba123!
 port 3799
 auth-type all

radius server RASERV-1
 address ipv4 10.15.64.218 auth-port 1645 acct-port 1646
 key Aruba123!

radius server RASERV-6
 address ipv4 10.8.8.84 auth-port 1645 acct-port 1646
 key Aruba123!

Port config

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
storm-control broadcast level 5.00
dot1x pae authenticator
dot1x timeout server-timeout 10
dot1x timeout tx-period 10


Do any of you smart people have any suggestions?  Also I have searched everything I can and have not found where anyone else has posted same issue.

Thanks in advance

------------------------------
Michael McNeely
------------------------------