Wired Intelligent Edge

 View Only
  • 1.  Issue with windows eap-tls auth on authenticating switch

    Posted Oct 07, 2024 05:05 AM

    Hi,

    Got a strange issue on a 2930 switch running WC.16.11.13 configured for  802.1x and mac auh. Switch  has been configured for about 14 months and been working just fine. On about the 1st of october, windows devices stopped  obtaining IP addresses. Could see what was happening but not why,

    All our windows machines are domain joined and have certs /eap-tls config pushed to them via GPO. If a windows machine  successfullly authenticates  its (currently) placed in whatever  statically asigned vlan is on a switch port. If a windows machine relies on a mac auth its dropped into a captive portal vlan.

    The switch is also configured to use DURs to configure the device

    Currently clearpass  is configured so that auths from the switch are processed by a service with "monitor mode" enabled, i.e. switch switch logs will have DCA 5204  errors as a matter of course and  an  "inital-role" is assigned to the client machine. The inital role  is bsically and Allow All ACL. We've had this config running for about 3 years without issue.

    Switch config snippet shown below

    aaa authorization user-role enable download
    aaa authorization user-role initial-role "initial-role"
    aaa authentication login privilege-mode
    aaa authentication console login tacacs
    aaa authentication console enable tacacs
    aaa authentication ssh login tacacs
    aaa authentication ssh enable tacacs
    aaa authentication port-access eap-radius server-group "clearpass"
    aaa authentication mac-based chap-radius server-group "clearpass"
    aaa authentication captive-portal enable
    aaa port-access authenticator 1/1 tx-period 10
    aaa port-access authenticator 1/1 supplicant-timeout 10
    aaa port-access authenticator 1/1 client-limit 32
    aaa port-access authenticator 1/2 tx-period 10
    aaa port-access authenticator 1/2 supplicant-timeout 10
    aaa port-access authenticator 1/2 client-limit 32
    .....
    aaa port-access mac-based 1/14,1/23,1/33,1/35,1/47,2/23,2/35,2/47
    aaa port-access mac-based 1/1 addr-limit 256
    aaa port-access mac-based 1/1 addr-moves
    aaa port-access mac-based 1/2 addr-limit 256
    aaa port-access mac-based 1/2 addr-moves
    ....
    aaa port-access mac-based addr-format multi-dash-uppercase
    aaa port-access 1/1 controlled-direction in
    aaa port-access 1/1 auth-order authenticator mac-based
    aaa port-access 1/1 auth-priority authenticator mac-based
    aaa port-access 1/1 critical-auth user-role "critical-role"
    aaa port-access 1/2 controlled-direction in
    aaa port-access 1/2 auth-order authenticator mac-based
    aaa port-access 1/2 auth-priority authenticator mac-based
    aaa port-access 1/2 critical-auth user-role "critical-role"


    Issue
    So when  a windows client does an authentication, a sh port-access client shows an entry  for client mac address,  the vlans on a port NO IP address and. tells me its doing an 802.1x auth.  Clearpass doesnt  see any. eap-tls auths happening. It does however see a mac auth from the port and sends back an access accept .(no dur as its in monitor mode)

    and thats the way the switch stays. Devices doing mac auths just work. The switch has been up for 350 days 

    (last  reboot would have been to get 16.1.13 onto it)

    Fairly sure that  a reboot wil fix it but rebooting switches bring their own level of pain.

    Any thoughts for debug statements i might use? at this point? 

    A



  • 2.  RE: Issue with windows eap-tls auth on authenticating switch

    Posted 30 days ago
    Edited by lord 30 days ago

    According to your running config, 802.1x authentication is deactivated. All ports with activated 802.1x authentication must be displayed above the line "aaa port-access authenticator 1/1 tx-period 10", similar to the MAC-Auth "aaa port-access mac-based 1/14,1/23,1/33,1/35,1/47,2/23,2/35,2/47".

    You can check the current config status with "show port-access config", it must look similar to this:

    SW01(config)# sh port-access config

     Port Access Status Summary

      Port-access authenticator activated [No] : Yes
      Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
      Use LLDP data to authenticate [No] : No
      Dot1X EAP Identifier Compliance [Disabled] : Disabled
      Allow incremental EAP identifier only [Disabled] : Disabled

            802.1X  802.1X   Web      Mac      LMA   Cntrl Mixed    Speed
      Port  Supp    Auth     Auth     Auth     Auth  Dir   Mode     VSA   MBV
      ----- ------- -------- -------- -------- ----- ----- -------- ----- ---
      1     No      No       No       No       No    in    No       No    Yes
      2     No      Yes      No       No       No    in    No       No    Yes
      3     No      No       No       No       No    in    No       No    Yes
      4     No      No       No       No       No    both  No       No    Yes
      5     No      No       No       No       No    in    No       No    Yes
      6     No      No       No       No       No    both  No       No    Yes
      7     No      No       No       No       No    both  No       No    Yes
      8     No      No       No       No       No    in    No       No    Yes
      9     No      No       No       No       No    both  No       No    Yes
      10    No      No       No       No       No    both  No       No    Yes

    SW01(config)# 

    This is how it should look in the running config, here 802.1x authentication is only activated for port 2, the port is listed above the configuration settings. 802.1x authentication is configured for port 1, but not activated.

    aaa authentication port-access eap-radius
    aaa port-access authenticator 2
    aaa port-access authenticator 1 client-limit 2
    aaa port-access authenticator 2 tx-period 15
    aaa port-access authenticator 2 supplicant-timeout 15
    aaa port-access authenticator 2 max-eap-retries 1



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Issue with windows eap-tls auth on authenticating switch

    Posted 30 days ago
    Hi,
    Many thanks for the reply. You the config snippet was just an example of of our config ( well my switch at home actually) and yes l know about the sh port-access config command.
    For the systems going wrong we did have
    Aaa port-access authenticator 1/1-1/48 with all the corresponding. Authenticator and Mac-based lines.

    The dot 1x auths just stopped appearing on clearpass with only Mac-auths appearing.

    For the auth disabled ports, for those with APs ( doing macauth) re-enabling Mac-auth just worked. Re-enabling dot1x and Mac auth on a windows connected port … no dot1x auths visible, only Mac auths
    A




  • 4.  RE: Issue with windows eap-tls auth on authenticating switch

    Posted 30 days ago

    OK, then the question is whether the endpoint is not doing dot1X authentication or the switch is not forwarding it.
    Have you already activated debugging on the switch?

    debug destination session
    debug security port-access authenticator include port 2
    debug security radius-server



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Issue with windows eap-tls auth on authenticating switch

    Posted 30 days ago
    They’re all domain joined windows machines all machine authenticating … then. Noon on the 1st October .. nothing
    A




  • 6.  RE: Issue with windows eap-tls auth on authenticating switch

    Posted 30 days ago
    Just waiting for someone to point me at. A machine.port I can use
    A