In Mobility Access switch, we have introduced a new role called "Preauth" role. This role is assigned to a client until it derives the final role after passing through all the configured authentication methods. Hence, the policies defined on an intermediate role do not get applied on the client traffic. This avoids the clients from obtaining an IP address through DHCP in a subnet different from the final VLAN derived.
By default, this feature is disabled. You can use the CLI to configure preauth role on the Mobility Access Switch. By default, no ACL is configured as part of the preauth role and hence, it will deny all L2/L3 traffic from the device except the control packets. You cannot delete this role from the system. However, you may configure ACLs in it to allow specific traffic.
Limitations:
The DHCP discovery time interval for a device connected to a network may increase if the authentication time increases. The authentication time may increase due to one of the following reasons:
- Large number of servers in a server group.
- User delay in providing 802.1x credentials.
- Increased value of retransmit and time out intervals configured for the servers.
Recommendations:
To improve the DHCP discovery time for devices that do not support 802.1x authentication, it is recommended to adjust the following values in the aaa authentication dot1x profile:
- Set the reauth-max value to 1
- Set the timer idrequest_period value to 10 for preboot execution environment (PXE) clients and 20 or lower for non-PXE clients.
However, it is recommended to set these values in the dot1x profile based on your network settings.
Configuring Pre-authentication Role:
You can enable the preauth role on the Mobility Access Switch in the aaa profile command using CLI:
(host) (config) # aaa profile <profile-name>
(host) (AAA Profile "<profile-name>") # preauth
Sample Configuration:
(host) (config) # aaa profile Profile1
(host) (AAA Profile "Profile1") # preauth
Verifying Pre-authentication Role Configuration:
You can verify the preauth role configuration using the following show command:
(host) (AAA Profile "Profile1") #show aaa profile Profile1
(host) #show aaa profile Profile1
AAA Profile "Profile1"
-------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from ClearPass Enabled
L2 Authentication Fail Through Enabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
AAA unreachable role N/A
RFC 3576 server N/A
User derivation rules N/A
SIP authentication role N/A
Preauth Enabled
Enforce DHCP Disabled
Authentication Failure Blacklist Time 3600 sec
Viewing Pre-authentication Role Assignment
We can use the show station table command to view the role assignment for the clients. The Role column in the output displays preauth until the clients derive the final role after all the configured authentication methods are
complete. After the clients pass through all the configured authentication methods, the Role column in the output displays the final role derived by the clients.
(host) #show station-table
Station Entry
-------------
MAC Name Role Age(d:h:m) Auth Interface Profile
------------ ------ ---- ---------- ---- --------- -------
00:60:6e:00:f1:7d 00606e00f17d preauth 00:00:00 No 0/0/8 Profile1
Station Entries: 1