10-23-2018 04:01 PM
I'm hoping some members here can help clarify a few questions I have surrounding ClearPass and workgroup switches.
We currently have ClearPass up and running with wired 802.1x enabled for AD clients and MAB failback for guest or unknown clients. This works fine when clients are connecting directly to NAD (in this case a Catalyst 4500). The issue we're having is that any clients connecting behind a workgroup/desktop switch are showing up as unauthenticated on the Catalyst switch. I've heard of 802.1x failing for some clients on workgroup switches but I assumed they would at least work with MAB. To be sure, I've configured the port for multi-auth and the Catalyst is using up-to-date firmware.
Relevant switchport config on the Catalyst 4500:
interface GigabitEthernet6/33 description 802.1x Enabled Port switchport access vlan 232 switchport mode access switchport voice vlan 224 authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x timeout supp-timeout 15 dot1x max-reauth-req 1 end
However when I run a show auth sessions on the switch I see that a number of clients are showing as unauthenticated:
Interface MAC Address Method Domain Status Fg Session ID ---------------------------------------------------------------------- Gi6/33 54e1.ad7a.c8a3 mab DATA Unauth 0A020020000001B7AD728D00 Gi6/33 10bd.1801.d4c4 mab VOICE Auth 0A0200200000017F88CEFE38 Gi6/33 54e1.ad7a.c864 mab DATA Unauth 0A020020000001C4B1F87994 Gi6/33 94c6.9179.2f23 dot1x DATA Auth 0A0200200000017E88CEDE68
This is despite passing MAB on ClearPass and CPPM sending Access-Accept to the 4500:
Login Status: ACCEPT Enforcement Profiles: VLAN232 - Guests System Posture Status: UNKNOWN (100) Audit Posture Status: UNKNOWN (100) RADIUS Response Radius:IETF:Tunnel-Medium-Type 6 Radius:IETF:Tunnel-Private-Group-Id 232 Radius:IETF:Tunnel-Type 13
The questions I have are as follows:
- Is it possible to get 802.1X working with a workgroup switch inbetween the client and NAD? Or would this only work with MAB? If neither, then is this expected behavior? - I thought I've seen ClearPass work successfully with workgroup switches in previous deployments but I can't recall a specific instance.
- If yes then is this an issue with the Catalyst switch or the Catalyst config? - If so, how can I resolve.
- If no then is this an issue with the make/model of workgroup switch in the environement? - If so, can anyone make a recommendation on a model that is known to work with this setup?
Thanks in advance for the community support!
Solved! Go to Solution.
Re: ClearPass - Cisco and Unauth on Workgroup Switches
10-23-2018 04:39 PM
This is looking more and more like a Catalyst switching issue not honoring multi-authentication, I think. CPPM sends access-accept but the catalyst shows an auth-failure:
4507-IDF#show logging | inc c8a3 Oct 22 20:01:30.380: %DOT1X-5-FAIL: Authentication failed for client (54e1.ad7a.c8a3) on Interface Gi6/33 AuditSessionID 0A020020000001B7AD728D00
10-24-2018 12:31 AM - edited 10-24-2018 12:33 AM
I'm not sure if it's a faux pas to answer your own question but here goes.. Short Answer: I posted in the wrong forum. This is 100% a bug with the Cisco Catalyst switch.
To anyone who stumbled onto this and wanted more detailed answers, I provide the following:
- 802.1X will generally work just fine with generic workgroup unmanaged switches. This is due to EAPOL Flooding. Most unmanaged switches will flood the EAPOL packets to all ports allowing for a successful authentication session between the supplicant and the NAD. On some smart switches, this needs to be explicitly enabled. Others however may drop the EAPOL packets at it receives them. YMMV.
- The above config is fine. Definitely a bug.
- I just tested this with a Netgear GS108T, with EAPOL Flooding enabled. I've read elsewhere that cheap D-Link switches also play nicely with 802.1X in multi-auth mode. I've ordered a D-Link TL-SG1005D for testing and will report back with my findings.