They’re all domain joined windows machines all machine authenticating … then. Noon on the 1st October .. nothing
Original Message:
Sent: 10/8/2024 11:12:00 AM
From: lord
Subject: RE: Issue with windows eap-tls auth on authenticating switch
OK, then the question is whether the endpoint is not doing dot1X authentication or the switch is not forwarding it.
Have you already activated debugging on the switch?
debug destination session
debug security port-access authenticator include port 2
debug security radius-server
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Oct 08, 2024 08:31 AM
From: alexs-nd
Subject: Issue with windows eap-tls auth on authenticating switch
Hi,
Many thanks for the reply. You the config snippet was just an example of of our config ( well my switch at home actually) and yes l know about the sh port-access config command.
For the systems going wrong we did have
Aaa port-access authenticator 1/1-1/48 with all the corresponding. Authenticator and Mac-based lines.
The dot 1x auths just stopped appearing on clearpass with only Mac-auths appearing.
For the auth disabled ports, for those with APs ( doing macauth) re-enabling Mac-auth just worked. Re-enabling dot1x and Mac auth on a windows connected port … no dot1x auths visible, only Mac auths
A
Original Message:
Sent: 10/8/2024 7:12:00 AM
From: lord
Subject: RE: Issue with windows eap-tls auth on authenticating switch
According to your running config, 802.1x authentication is deactivated. All ports with activated 802.1x authentication must be displayed above the line "aaa port-access authenticator 1/1 tx-period 10
", similar to the MAC-Auth "aaa port-access mac-based 1/14,1/23,1/33,1/35,1/47,2/23,2/35,2/47
".
You can check the current config status with "show port-access config
", it must look similar to this:
SW01(config)# sh port-access config
Port Access Status Summary
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled
802.1X 802.1X Web Mac LMA Cntrl Mixed Speed
Port Supp Auth Auth Auth Auth Dir Mode VSA MBV
----- ------- -------- -------- -------- ----- ----- -------- ----- ---
1 No No No No No in No No Yes
2 No Yes No No No in No No Yes
3 No No No No No in No No Yes
4 No No No No No both No No Yes
5 No No No No No in No No Yes
6 No No No No No both No No Yes
7 No No No No No both No No Yes
8 No No No No No in No No Yes
9 No No No No No both No No Yes
10 No No No No No both No No Yes
SW01(config)#
This is how it should look in the running config, here 802.1x authentication is only activated for port 2, the port is listed above the configuration settings. 802.1x authentication is configured for port 1, but not activated.
aaa authentication port-access eap-radius
aaa port-access authenticator 2
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator 2 tx-period 15
aaa port-access authenticator 2 supplicant-timeout 15
aaa port-access authenticator 2 max-eap-retries 1
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Oct 07, 2024 05:04 AM
From: alexs-nd
Subject: Issue with windows eap-tls auth on authenticating switch
Hi,
Got a strange issue on a 2930 switch running WC.16.11.13 configured for 802.1x and mac auh. Switch has been configured for about 14 months and been working just fine. On about the 1st of october, windows devices stopped obtaining IP addresses. Could see what was happening but not why,
All our windows machines are domain joined and have certs /eap-tls config pushed to them via GPO. If a windows machine successfullly authenticates its (currently) placed in whatever statically asigned vlan is on a switch port. If a windows machine relies on a mac auth its dropped into a captive portal vlan.
The switch is also configured to use DURs to configure the device
Currently clearpass is configured so that auths from the switch are processed by a service with "monitor mode" enabled, i.e. switch switch logs will have DCA 5204 errors as a matter of course and an "inital-role" is assigned to the client machine. The inital role is bsically and Allow All ACL. We've had this config running for about 3 years without issue.
Switch config snippet shown below
aaa authorization user-role enable download
aaa authorization user-role initial-role "initial-role"
aaa authentication login privilege-mode
aaa authentication console login tacacs
aaa authentication console enable tacacs
aaa authentication ssh login tacacs
aaa authentication ssh enable tacacs
aaa authentication port-access eap-radius server-group "clearpass"
aaa authentication mac-based chap-radius server-group "clearpass"
aaa authentication captive-portal enable
aaa port-access authenticator 1/1 tx-period 10
aaa port-access authenticator 1/1 supplicant-timeout 10
aaa port-access authenticator 1/1 client-limit 32
aaa port-access authenticator 1/2 tx-period 10
aaa port-access authenticator 1/2 supplicant-timeout 10
aaa port-access authenticator 1/2 client-limit 32
.....
aaa port-access mac-based 1/14,1/23,1/33,1/35,1/47,2/23,2/35,2/47
aaa port-access mac-based 1/1 addr-limit 256
aaa port-access mac-based 1/1 addr-moves
aaa port-access mac-based 1/2 addr-limit 256
aaa port-access mac-based 1/2 addr-moves
....
aaa port-access mac-based addr-format multi-dash-uppercase
aaa port-access 1/1 controlled-direction in
aaa port-access 1/1 auth-order authenticator mac-based
aaa port-access 1/1 auth-priority authenticator mac-based
aaa port-access 1/1 critical-auth user-role "critical-role"
aaa port-access 1/2 controlled-direction in
aaa port-access 1/2 auth-order authenticator mac-based
aaa port-access 1/2 auth-priority authenticator mac-based
aaa port-access 1/2 critical-auth user-role "critical-role"
Issue
So when a windows client does an authentication, a sh port-access client shows an entry for client mac address, the vlans on a port NO IP address and. tells me its doing an 802.1x auth. Clearpass doesnt see any. eap-tls auths happening. It does however see a mac auth from the port and sends back an access accept .(no dur as its in monitor mode)
and thats the way the switch stays. Devices doing mac auths just work. The switch has been up for 350 days
(last reboot would have been to get 16.1.13 onto it)
Fairly sure that a reboot wil fix it but rebooting switches bring their own level of pain.
Any thoughts for debug statements i might use? at this point?
A