Hello,
I'm hoping some members here can help clarify a few questions I have surrounding ClearPass and workgroup switches.
We currently have ClearPass up and running with wired 802.1x enabled for AD clients and MAB failback for guest or unknown clients. This works fine when clients are connecting directly to NAD (in this case a Catalyst 4500). The issue we're having is that any clients connecting behind a workgroup/desktop switch are showing up as unauthenticated on the Catalyst switch. I've heard of 802.1x failing for some clients on workgroup switches but I assumed they would at least work with MAB. To be sure, I've configured the port for multi-auth and the Catalyst is using up-to-date firmware.
Relevant switchport config on the Catalyst 4500:
interface GigabitEthernet6/33
description 802.1x Enabled Port
switchport access vlan 232
switchport mode access
switchport voice vlan 224
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 1
end
However when I run a show auth sessions on the switch I see that a number of clients are showing as unauthenticated:
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi6/33 54e1.ad7a.c8a3 mab DATA Unauth 0A020020000001B7AD728D00
Gi6/33 10bd.1801.d4c4 mab VOICE Auth 0A0200200000017F88CEFE38
Gi6/33 54e1.ad7a.c864 mab DATA Unauth 0A020020000001C4B1F87994
Gi6/33 94c6.9179.2f23 dot1x DATA Auth 0A0200200000017E88CEDE68
This is despite passing MAB on ClearPass and CPPM sending Access-Accept to the 4500:
Login Status: ACCEPT
Enforcement Profiles: VLAN232 - Guests
System Posture Status: UNKNOWN (100)
Audit Posture Status: UNKNOWN (100)
RADIUS Response
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 232
Radius:IETF:Tunnel-Type 13
The questions I have are as follows:
- Is it possible to get 802.1X working with a workgroup switch inbetween the client and NAD? Or would this only work with MAB? If neither, then is this expected behavior? - I thought I've seen ClearPass work successfully with workgroup switches in previous deployments but I can't recall a specific instance.
- If yes then is this an issue with the Catalyst switch or the Catalyst config? - If so, how can I resolve.
- If no then is this an issue with the make/model of workgroup switch in the environement? - If so, can anyone make a recommendation on a model that is known to work with this setup?
Thanks in advance for the community support!