Security

Hello,

I'm hoping some members here can help clarify a few questions I have surrounding ClearPass and workgroup switches.

We currently have ClearPass up and running with wired 802.1x enabled for AD clients and MAB failback for guest or unknown clients. This works fine when clients are connecting directly to NAD (in this case a Catalyst 4500). The issue we're having is that any clients connecting behind a workgroup/desktop switch are showing up as unauthenticated on the Catalyst switch. I've heard of 802.1x failing for some clients on workgroup switches but I assumed they would at least work with MAB. To be sure, I've configured the port for multi-auth and the Catalyst is using up-to-date firmware.

Relevant switchport config on the Catalyst 4500:

interface GigabitEthernet6/33
 description 802.1x Enabled Port
 switchport access vlan 232
 switchport mode access
 switchport voice vlan 224
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
end

However when I run a show auth sessions on the switch I see that a number of clients are showing as unauthenticated:

Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi6/33       54e1.ad7a.c8a3 mab     DATA    Unauth    0A020020000001B7AD728D00
Gi6/33       10bd.1801.d4c4 mab     VOICE   Auth      0A0200200000017F88CEFE38
Gi6/33       54e1.ad7a.c864 mab     DATA    Unauth    0A020020000001C4B1F87994
Gi6/33       94c6.9179.2f23 dot1x   DATA    Auth      0A0200200000017E88CEDE68

This is despite passing MAB on ClearPass and CPPM sending Access-Accept to the 4500:

Login Status: ACCEPT

Enforcement Profiles: VLAN232 - Guests
System Posture Status: UNKNOWN (100)
Audit Posture Status: UNKNOWN (100)
 
RADIUS Response
Radius:IETF:Tunnel-Medium-Type	6
Radius:IETF:Tunnel-Private-Group-Id	232
Radius:IETF:Tunnel-Type	13

The questions I have are as follows:

1. Is it possible to get 802.1X working with a workgroup switch inbetween the client and NAD? Or would this only work with MAB? If neither, then is this expected behavior? - I thought I've seen ClearPass work successfully with workgroup switches in previous deployments but I can't recall a specific instance.
2. If yes then is this an issue with the Catalyst switch or the Catalyst config? - If so, how can I resolve.
3. If no then is this an issue with the make/model of workgroup switch in the environement? - If so, can anyone make a recommendation on a model that is known to work with this setup?

Thanks in advance for the community support!

This is looking more and more like a Catalyst switching issue not honoring multi-authentication, I think. CPPM sends access-accept but the catalyst shows an auth-failure:

4507-IDF#show logging | inc c8a3
Oct 22 20:01:30.380: %DOT1X-5-FAIL: Authentication failed for client (54e1.ad7a.c8a3) on Interface Gi6/33 AuditSessionID 0A020020000001B7AD728D00

I'm not sure if it's a faux pas to answer your own question but here goes.. Short Answer: I posted in the wrong forum. This is 100% a bug with the Cisco Catalyst switch.

To anyone who stumbled onto this and wanted more detailed answers, I provide the following:

1. 802.1X will generally work just fine with generic workgroup unmanaged switches. This is due to EAPOL Flooding. Most unmanaged switches will flood the EAPOL packets to all ports allowing for a successful authentication session between the supplicant and the NAD. On some smart switches, this needs to be explicitly enabled. Others however may drop the EAPOL packets at it receives them. YMMV.
2. The above config is fine. Definitely a bug.
3. I just tested this with a Netgear GS108T, with EAPOL Flooding enabled. I've read elsewhere that cheap D-Link switches also play nicely with 802.1X in multi-auth mode. I've ordered a D-Link TL-SG1005D for testing and will report back with my findings.

Update: The D-Link TL-SG1005D works great with dot1x!