We're you able to successfully implement this?
I try to achieve that dot1x takes place first followed by mac auth because we enforce a mac default role to place the clients into a guest role. Due to parallel authentication (2930F switch) mac auth takes place first (maybe only 500ms earlier than dot1x enforcement) almost everytime. During this time clients are already getting a IP address from the guest network and the dhcp reservers an IP address for a client that doesn't need one.
To solve this issue I configured "aaa port-access auth-order authenticator mac-based". Due to default dot1x supplicant-timeout I set the timeout to 3secs in the hope MAC auth takes place if there is no dot1x after 3 secs. However it takes about 90secs unitl mac auth is performed (starting from "… m8021xCtrl:Port 3: connection detected.")
Debug Logs:
0000:00:23:29.58 1X m8021xCtrl:Port 3: connection detected.
0000:00:23:29.58 1X m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.
0000:00:23:29.64 1X m8021xCtrl:Port 3: added new client 9457a5-be3040.
0000:00:23:58.60 1X m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.
0000:00:23:58.60 1X m8021xCtrl:Port 3:No. of EAP Id request sent: 1 to
client:9457a5-be3040.
0000:00:24:28.60 1X m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.
0000:00:24:28.60 1X m8021xCtrl:Port 3:No. of EAP Id request sent: 2 to
client:9457a5-be3040.
0000:00:24:58.60 1X m8021xCtrl:Port 3: There is no EAP response from
client:9457a5-be3040
0000:00:24:58.60 AUOR m8021xCtrl:Auth Order: Port 3:Added auth order client:
9457a5-be3040.
0000:00:24:58.60 AUOR m8021xCtrl:Auth Order: Port 3: Client status updated for
client: 9457a5-be3040, auth-method: 1 , auth-state: 1 .
0000:00:24:58.60 1X m8021xCtrl:Port 3:Auth order: Mac authentication will be
triggered client: 9457a5-be3040 as there is no EAP response.
0000:00:24:58.60 AUOR m8021xCtrl:Port 3:Mac authentication is triggered for
client: 9457a5-be3040
0000:00:24:58.60 1X m8021xCtrl:Port 3: Deleted Client 9457a5-be3040User (null)
from Client-List
0000:00:24:58.60 MAC mWebAuth:Port: 3 MAC: 9457a5-be3040 new client detected on
vid: 1.
0000:00:24:58.60 MAC mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS CHAP
authentication started, session: 8.
0000:00:24:58.64 MAC mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS Attributes,
vid: 64.
0000:00:24:58.64 MAC mWebAuth:Port: 3 MAC: 9457a5-be3040 [8] client accepted
with role 'guest'.
0000:00:24:58.64 MAC mWebAuth:Port: 3 MAC: 9457a5-be3040 client successfully
placed into vid: 64.
0000:00:24:58.64 AUOR mWebAuth:Auth Order: Port 3: Client status updated for
client: 9457a5-be3040, auth-method: 2 , auth-state: 2 .
0000:00:25:00.60 1X m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.
Portconfig:
interface 3
name "NAC"
qos trust dscp
rate-limit bcast in percent 2
rate-limit mcast in percent 2
untagged vlan 2000
aaa port-access authenticator
aaa port-access authenticator supplicant-timeout 3
aaa port-access authenticator client-limit 16
aaa port-access mac-based
aaa port-access mac-based addr-limit 16
aaa port-access controlled-direction in
aaa port-access auth-order authenticator mac-based
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit
Tested with:
WC.16.10.0005
WC.16.09.0004
I configured "aaa port-access authenticator max-eap-retries 1" this saves 30sec. This shows me the "aaa port-access authenticator supplicant-timeout 3" does not take place.
Otherwise I have to implement a "WAITFOR" in the SQL query for querying the Clearpass Guest Device Repository to achieve a mac auth delay.
Are there any other options?