Hi All
Apologies if this would be better aimed at Cisco but wondering if anyone has any experience of using CPPM to provide RADIUS authentication for Intel AMT cards via MAB auth.
We have a specific scenario where we have devices on our network that present both the normal data NIC and the AMT NIC at the same time, on initial authentication this appears fine and both show auth Authz Success on our switch, after a period of time the AMT NIC then goes to status Authz Failed.
Config from our switch and CPPM included below, if it's worth noting we only send one Enforcement Profile back regardless of whether it's a Data NIC or the AMT NIC at the moment and the Data NIC may be 802.1x or MAB authenticated depending on the build on the device.
Switch Port Config
!
interface FastEthernet0/12
description VLAN 2 - Auth High Security Mode
switchport access vlan 2
switchport mode access
ip device tracking maximum 4
no logging event link-status
authentication control-direction in
authentication event server dead action authorize vlan 2
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 0
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout tx-period 5
spanning-tree portfast
end
sh auth sess int fa0/12
Interface: FastEthernet0/12
MAC Address: 0023.2438.c288
IP Address: 10.201.181.12
User-Name: host/4990POS0002.BC.JSPLC.NET
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Per-User ACL: permit ip any any
Session timeout: 43200s (server), Remaining: 18790s
Timeout action: Reauthenticate
Idle timeout: 3600s (local), Remaining: 761s
Common Session ID: 0ABDB5060000E2FDAFFFFB26
Acct Session ID: 0x000104AD
Handle: 0xF6000464
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
----------------------------------------
Interface: FastEthernet0/12
MAC Address: 0023.2438.c289
IP Address: 10.201.181.12
User-Name: 00232438c289
Status: Authz Failed
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Idle timeout: 3600s (local), Remaining: 3083s
Common Session ID: 0ABDB5060000E2FCAFFF8B69
Acct Session ID: 0x0001046C
Handle: 0x38000463
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
CPPM Enforcement Profile
Enforcement Profiles - PROFILE-WIRED-STORE-SKINNY-POS
Summary
Profile:
Name: PROFILE-WIRED-STORE-SKINNY-POS
Description: Skinny Store POS
Type: RADIUS
Action: Accept
Device Group List: -
Attributes:
Type Name Value
1. Radius:IETF Session-Timeout = 86400
2. Radius:IETF Termination-Action = RADIUS-Request (1)
3. Radius:Cisco Cisco-AVPair = ip:inacl#1=permit ip any any
Thanks,
Matt.