Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Auth priority vs auth order

Jump to Best Answer
  • 1.  Auth priority vs auth order

    Posted Mar 04, 2019 04:46 PM
    Hi,

    I am trying to figure out the difference while configuring Cisco switch between the command
    Authentication priority dot1x mab

    And

    Authentication order dot1x mab

    Also what does fallback actually means ?

    Does it mean that when dot1x fail then next try for mab ?


  • 2.  RE: Auth priority vs auth order

    Posted Mar 04, 2019 04:48 PM
    Auth order is the order in which they fire.

    Auth priority means which result will take precedence for an accept.


  • 3.  RE: Auth priority vs auth order

    Posted Mar 04, 2019 04:51 PM
    Ok thanks Tim

    Do we need to configure both commands ?

    My need is to always give priority to dot1x and then mab on per port basis

    What if I don't define order command ? Is there any global way to always make an order dot1x and then mab ?


  • 4.  RE: Auth priority vs auth order
    Best Answer

    Posted Mar 04, 2019 04:53 PM
    You should always define both. Generally you want dot1X to fire first and dot1X to take priority.


  • 5.  RE: Auth priority vs auth order

    Posted Mar 04, 2019 05:18 PM
    Ok thanks Tim as always


  • 6.  RE: Auth priority vs auth order

    Posted Mar 02, 2020 05:26 AM

    We're you able to successfully implement this?

     

    I try to achieve that dot1x takes place first followed by mac auth because we enforce a mac default role to place the clients into a guest role. Due to parallel authentication (2930F switch) mac auth takes place first (maybe only 500ms earlier than dot1x enforcement) almost everytime. During this time clients are already getting a IP address from the guest network and the dhcp reservers an IP address for a client that doesn't need one.

     

    To solve this issue I configured "aaa port-access auth-order authenticator mac-based". Due to default dot1x supplicant-timeout I set the timeout to 3secs in the hope MAC auth takes place if there is no dot1x after 3 secs. However it takes about 90secs unitl mac auth is performed (starting from "… m8021xCtrl:Port 3: connection detected.")

     

    Debug Logs:

     

    0000:00:23:29.58 1X   m8021xCtrl:Port 3: connection detected.

    0000:00:23:29.58 1X   m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.

    0000:00:23:29.64 1X   m8021xCtrl:Port 3: added new client 9457a5-be3040.

    0000:00:23:58.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.

    0000:00:23:58.60 1X   m8021xCtrl:Port 3:No. of EAP Id request sent: 1 to

       client:9457a5-be3040.

    0000:00:24:28.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.

    0000:00:24:28.60 1X   m8021xCtrl:Port 3:No. of EAP Id request sent: 2 to

       client:9457a5-be3040.

    0000:00:24:58.60 1X   m8021xCtrl:Port 3: There is no EAP response from

       client:9457a5-be3040

    0000:00:24:58.60 AUOR  m8021xCtrl:Auth Order: Port 3:Added auth order client:

       9457a5-be3040.

    0000:00:24:58.60 AUOR  m8021xCtrl:Auth Order: Port 3: Client status updated for

       client: 9457a5-be3040, auth-method: 1 , auth-state: 1 .

    0000:00:24:58.60 1X   m8021xCtrl:Port 3:Auth order: Mac authentication will be

       triggered client: 9457a5-be3040 as there is no EAP response.

    0000:00:24:58.60 AUOR  m8021xCtrl:Port 3:Mac authentication is triggered for

       client: 9457a5-be3040

    0000:00:24:58.60 1X   m8021xCtrl:Port 3: Deleted Client 9457a5-be3040User (null)

       from Client-List

    0000:00:24:58.60 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 new client detected on

       vid: 1.

    0000:00:24:58.60 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS CHAP

       authentication started, session: 8.

    0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS Attributes,

       vid: 64.

    0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 [8] client accepted

       with role 'guest'.

    0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 client successfully

       placed into vid: 64.

    0000:00:24:58.64 AUOR  mWebAuth:Auth Order: Port 3: Client status updated for

       client: 9457a5-be3040, auth-method: 2 , auth-state: 2 .

    0000:00:25:00.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.

     

     

    Portconfig:

     

    interface 3

       name "NAC"

       qos trust dscp

       rate-limit bcast in percent 2

       rate-limit mcast in percent 2

       untagged vlan 2000

       aaa port-access authenticator

       aaa port-access authenticator supplicant-timeout 3

       aaa port-access authenticator client-limit 16

       aaa port-access mac-based

       aaa port-access mac-based addr-limit 16

       aaa port-access controlled-direction in

       aaa port-access auth-order authenticator mac-based

       spanning-tree admin-edge-port

       spanning-tree bpdu-protection

       exit

     

    Tested with:

     

    WC.16.10.0005

    WC.16.09.0004

     

    I configured "aaa port-access authenticator max-eap-retries 1" this saves 30sec. This shows me the "aaa port-access authenticator supplicant-timeout 3" does not take place.

     

    Otherwise I have to implement a "WAITFOR" in the SQL query for querying the Clearpass Guest Device Repository to achieve a mac auth delay.

     

    Are there any other options?



  • 7.  RE: Auth priority vs auth order

    Posted Apr 10, 2020 09:46 AM

    Hi!

     

    For instance you can reduce the tx-period (default 30 sec.):

    aaa port-access authenticator 2/I20 tx-period 10

     

    With this example you can reduce the time between the first 802.1x try and receiving the mac auth role to 25 to 30 seconds (realtime, from pluging in the cable).

     



  • 8.  RE: Auth priority vs auth order

    Posted Apr 14, 2020 03:33 AM

    After a few lab tests may I say the following interface config is needed to speed up the dot1x process in order to perform mac-authentication:

     

    aaa port-access authenticator <INTERFACE> tx-period 1

    aaa port-access authenticator <INTERFACE> max-eap-retries 1

    aaa port-access <INTERFACE> auth-order authenticator mac-based

    aaa port-access <INTERFACE> auth-priority authenticator mac-based

     

    With this configuration mac-authentication is performed after 4-5 seconds which is acceptable. We didn't gain any experience in a operative environment with it so far (only lab) but we'll see how the config is going to affect dot1x clients soon.



  • 9.  RE: Auth priority vs auth order

    Posted Apr 14, 2020 04:54 AM

    Yes, I would also test this short tx-period with all your 802.1x clients.
    If they miss the 802.1x period, they my fall back to mac auth...