Security

Hello ,

I have Windows 10 machines having dot1x native supplicant enabled.

I am using EAP -TLS on CPPM

My switch has dot1x and then mab as order and priority .

Suppose one of my machine having native dot1x supplicant but expired certificate try to connect , RADIUS will send reject message

But can my machine go for MAB ?

In which case my machine go for MAB ?

Is it possible for RADIUS to send instruction to use MAB as dot1x is failing

MAC auth is between a NAS and AAA server. The client/supplicant is not involved.

The NAS decides when MAC auth should be used.

Thanks Tim ,

 

In my case , having windows machines with native supplicant ., how can i instruct my NAS to use MAB for a faulty machine having expired certificate . who will instruct NAS ?  and how Client machine behaves in this case

You'll have to find out if your NAS supports a MAC auth on a rejected 802.1X authentication.

Note, this only applies to wired networks.

Yes , i am talking about wired only 

 

my NAS is Cisco and HPE mix . 

 

and what config is needed on Switch ? any special command ?

 

And CPPM has no role in deciding this or sending instruction to MAB?

It should just work with a standard config.

 ok thats great . I am having a confusion that if dot1x supplicant is enabled on my LAPtop . it will never go to MAB . Because if dot1x fails and switch port has config to retry 3 times , the counter will reset after 3 and it will again start with dot1x and never goes to mab

 

below is my switch port config ( cisco)

interface FastEthernet2/2
description 802.1X Enabled: PC
switchport access vlan 301
switchport mode access
switchport voice vlan 455
authentication event server dead action reinitialize vlan 301
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 36000
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 1.00
!

Actually, according to Cisco:

"MAB cannot be used as a next method for IEEE 802.1X authentication failures"

You can only use an auth fail VLAN.

ok the requirement is not to have an auth fail vlan .

 

So technically is it not doable ?

 

I understand cisco recommendation . but

as part of POC , we have to showcase as a use case to our customer .

 

and they have limited external users , so they dont want to enable guest access or guest vlan 

 

and as a quick solution they want to allow MAB for external users . 

 

Thats why we want ( also our customer) to have MAB after dot1x failure .

 

So it doable on cisco and HPE ?

 

 

You have HPE switches or Cisco switches?

As mentioned, Cisco doesn't support this so there's not much that can be done on our end.

ok thanks a lot .

 

we have both cisco and hpe switches ,

On your Windows client you can allow unauthenticated acces in the 802.1x settings. When 802.1x fails windows allow access that wil be send its mac-address to the NAS. In fact there is first a 802.1x request, after this failed windows send an MAC request. Both authentications can be placed in different vlans.

 

This simply allows access in the fallback VLAN. Supplicant have no control over MAC auth

thanks 

 

i was wondering what below command on cisco switch will do

 

authentication event fail action next-method

 

 

Thanks Marcel. I have only one vlan on the port . So making the changes on lan card settings make the supplicant go for Mac authentication bypass if dot1x fails ?

I checked with Cisco and they said to enable the same settings on supplicant as mentioned by Marcel plus below command is needed on switch

authentication event fail action next-method

After that if dot1x fails . supplicant will switch to mab.

I don't know any corresponding command in hpe.

Anyone having any idea ?

I don’t know of a way to do that on HPE Comware. You may want ask in the switching forum.

My HPE 5130 (comware7) looks likes this.

 

dot1x authentication-method eap
 dot1x quiet-period
 dot1x retry 1
 dot1x timer quiet-period 10
 dot1x timer tx-period 10

port-security enable

interface GigabitEthernet1/0/2
description "default edge interface"
port access vlan 2
broadcast-suppression 40
multicast-suppression 60
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain yourdomain.com
undo dot1x multicast-trigger
port-security port-mode userlogin-secure-or-mac-ext
loopback-detection enable vlan 2
loopback-detection action shutdown

radius scheme cppm
 primary authentication "cppmpublisher-ip"
 primary accounting "cppmpublisher-ip"
 secondary authentication "cppmsubcriper-ip"
 secondary accounting "cppmsubcriper-ip"
 accounting-on enable
 key authentication cipher "key"
 key accounting cipher "key"
 user-name-format without-domain
#
radius scheme system
 user-name-format without-domain
#
domain yourdomain.com
 authentication lan-access radius-scheme cppm local
 authorization lan-access radius-scheme cppm
 accounting lan-access radius-scheme cppm
 authentication default radius-scheme cppm local
 authorization default radius-scheme cppm local
 accounting default radius-scheme cppm local

But best you use a different vlan when mac-auth take place. else your 802.1x authentication dont make a lot of sence anymore

 

802.1x > corperate vlan

mac-auth > quarantain vlan (with restricions)

 

If mac-auth endup in the same vlan as your 802.1x isnt really safe.

Comware switches can be configured with parralel prcessing for mac and dot1x, you can add a delay timer if you would like. See a copy of the documentation here:

 

This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.

Make sure the port meets the following requirements:

• The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.

• The port is enabled with the 802.1X unicast trigger.

When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.

After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN.

• If 802.1X authentication fails, the MAC authentication result takes effect.

• If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.

The process sequence of 802.1X authentication and MAC authentication is configurable in other ways. For example, for the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN, enable new MAC-triggered 802.1X guest VLAN assignment delay. For information about new MAC-triggered 802.1X guest VLAN assignment delay, see "Configuring 802.1X."

To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:

• Enable the 802.1X and MAC authentication features separately on the port.

• Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.

  For information about port security mode configuration, see "Configuring port security."

For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.

1. Enter system view.

   system-view

2. Enter interface view.

   interface interface-type interface-number

3. Enable parallel processing of MAC authentication and 802.1X authentication on the port.

   mac-authentication parallel-with-dot1x

   By default, this feature is disabled.