Security

Hi,

I am trying to figure out the difference while configuring Cisco switch between the command
Authentication priority dot1x mab

And

Authentication order dot1x mab

Also what does fallback actually means ?

Does it mean that when dot1x fail then next try for mab ?

Auth order is the order in which they fire.

Auth priority means which result will take precedence for an accept.

Ok thanks Tim

Do we need to configure both commands ?

My need is to always give priority to dot1x and then mab on per port basis

What if I don't define order command ? Is there any global way to always make an order dot1x and then mab ?

You should always define both. Generally you want dot1X to fire first and dot1X to take priority.

Ok thanks Tim as always

We're you able to successfully implement this?

 

I try to achieve that dot1x takes place first followed by mac auth because we enforce a mac default role to place the clients into a guest role. Due to parallel authentication (2930F switch) mac auth takes place first (maybe only 500ms earlier than dot1x enforcement) almost everytime. During this time clients are already getting a IP address from the guest network and the dhcp reservers an IP address for a client that doesn't need one.

 

To solve this issue I configured "aaa port-access auth-order authenticator mac-based". Due to default dot1x supplicant-timeout I set the timeout to 3secs in the hope MAC auth takes place if there is no dot1x after 3 secs. However it takes about 90secs unitl mac auth is performed (starting from "… m8021xCtrl:Port 3: connection detected.")

 

Debug Logs:

 

0000:00:23:29.58 1X   m8021xCtrl:Port 3: connection detected.

0000:00:23:29.58 1X   m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.

0000:00:23:29.64 1X   m8021xCtrl:Port 3: added new client 9457a5-be3040.

0000:00:23:58.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.

0000:00:23:58.60 1X   m8021xCtrl:Port 3:No. of EAP Id request sent: 1 to

   client:9457a5-be3040.

0000:00:24:28.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 9457a5-be3040.

0000:00:24:28.60 1X   m8021xCtrl:Port 3:No. of EAP Id request sent: 2 to

   client:9457a5-be3040.

0000:00:24:58.60 1X   m8021xCtrl:Port 3: There is no EAP response from

   client:9457a5-be3040

0000:00:24:58.60 AUOR  m8021xCtrl:Auth Order: Port 3:Added auth order client:

   9457a5-be3040.

0000:00:24:58.60 AUOR  m8021xCtrl:Auth Order: Port 3: Client status updated for

   client: 9457a5-be3040, auth-method: 1 , auth-state: 1 .

0000:00:24:58.60 1X   m8021xCtrl:Port 3:Auth order: Mac authentication will be

   triggered client: 9457a5-be3040 as there is no EAP response.

0000:00:24:58.60 AUOR  m8021xCtrl:Port 3:Mac authentication is triggered for

   client: 9457a5-be3040

0000:00:24:58.60 1X   m8021xCtrl:Port 3: Deleted Client 9457a5-be3040User (null)

   from Client-List

0000:00:24:58.60 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 new client detected on

   vid: 1.

0000:00:24:58.60 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS CHAP

   authentication started, session: 8.

0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 RADIUS Attributes,

   vid: 64.

0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 [8] client accepted

   with role 'guest'.

0000:00:24:58.64 MAC  mWebAuth:Port: 3 MAC: 9457a5-be3040 client successfully

   placed into vid: 64.

0000:00:24:58.64 AUOR  mWebAuth:Auth Order: Port 3: Client status updated for

   client: 9457a5-be3040, auth-method: 2 , auth-state: 2 .

0000:00:25:00.60 1X   m8021xCtrl:Port 3: sent ReqId #1 to 0180c2-000003.

 

 

Portconfig:

 

interface 3

   name "NAC"

   qos trust dscp

   rate-limit bcast in percent 2

   rate-limit mcast in percent 2

   untagged vlan 2000

   aaa port-access authenticator

   aaa port-access authenticator supplicant-timeout 3

   aaa port-access authenticator client-limit 16

   aaa port-access mac-based

   aaa port-access mac-based addr-limit 16

   aaa port-access controlled-direction in

   aaa port-access auth-order authenticator mac-based

   spanning-tree admin-edge-port

   spanning-tree bpdu-protection

   exit

 

Tested with:

 

WC.16.10.0005

WC.16.09.0004

 

I configured "aaa port-access authenticator max-eap-retries 1" this saves 30sec. This shows me the "aaa port-access authenticator supplicant-timeout 3" does not take place.

 

Otherwise I have to implement a "WAITFOR" in the SQL query for querying the Clearpass Guest Device Repository to achieve a mac auth delay.

 

Are there any other options?

Hi!

 

For instance you can reduce the tx-period (default 30 sec.):

aaa port-access authenticator 2/I20 tx-period 10

 

With this example you can reduce the time between the first 802.1x try and receiving the mac auth role to 25 to 30 seconds (realtime, from pluging in the cable).

 

After a few lab tests may I say the following interface config is needed to speed up the dot1x process in order to perform mac-authentication:

 

aaa port-access authenticator <INTERFACE> tx-period 1

aaa port-access authenticator <INTERFACE> max-eap-retries 1

aaa port-access <INTERFACE> auth-order authenticator mac-based

aaa port-access <INTERFACE> auth-priority authenticator mac-based

 

With this configuration mac-authentication is performed after 4-5 seconds which is acceptable. We didn't gain any experience in a operative environment with it so far (only lab) but we'll see how the config is going to affect dot1x clients soon.

Yes, I would also test this short tx-period with all your 802.1x clients.
If they miss the 802.1x period, they my fall back to mac auth...