topic Re: ACS Failed Authentication - Confusing in Network Access Control

ACS Failed Authentication - Confusing

robert.riggle — Mon, 11 Mar 2019 02:24:13 GMT

I am having some confustion currently while looking into devices that fail authentication through the ACS. When looking at the reporting tool for the ACS I see a device (Dell laptop) show up on the same switch port with around 900 failed authentication attempts per day. I follow that up with a check on the MAC address table for that switch. I see devices connected (through a hub), but not the one that is failing. On the switch port there is the hub, 2 Dell laptops (but not the one getting logged in the ACS) and a VTC unit.

To add to the confusion, only the VTC unit shows a IP on the ARP table of the firewall. Not sure where to go from here.

ACS Failed Authentication - Confusing

Tarik Admani — Thu, 09 Aug 2012 14:37:17 GMT

Robert,

Can you post the port configuration? If you are running newer code you may be running authentication host mode single. Try running the command "authentication host mode multi-auth"

Here is some reference material when it comes to the different host modes:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1240475

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS Failed Authentication - Confusing

robert.riggle — Thu, 09 Aug 2012 14:41:27 GMT

Port configuration:

interface GigabitEthernet1/0/12

switchport access vlan 2

switchport mode access

authentication control-direction in

authentication host-mode multi-auth

authentication port-control auto

mab

Will look at the refrence material also, thanks.

ACS Failed Authentication - Confusing

Tarik Admani — Thu, 09 Aug 2012 14:48:16 GMT

Robert,

What is the failure reason? also are you using dynamic vlan assignment?

can you post the "show authentication sessions interface gig 1/0/12"

thanks,

Tarik Admani
*Please rate helpful posts*

Re: ACS Failed Authentication - Confusing

robert.riggle — Thu, 09 Aug 2012 15:08:16 GMT

Output attached with MAC table for that port (no paste option?).

5 sessions on the interface, only 4 MACs show on the address table. Does the failed MAB session not get shown on the table?

We do use dynamic vlan assignment.

Re: ACS Failed Authentication - Confusing

Tarik Admani — Thu, 09 Aug 2012 15:34:37 GMT

Robert,

Are you on vlan 2 or vlan 200? Are you using dynamic vlan assignment?

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ACS Failed Authentication - Confusing

robert.riggle — Thu, 09 Aug 2012 15:39:29 GMT

The ports are set up in vlan 2, on passing authenticaiton they get moved over to vlan 200.

ACS Failed Authentication - Confusing

Tarik Admani — Thu, 09 Aug 2012 21:03:31 GMT

Robert,

What version of code and model of switch are you running?

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS Failed Authentication - Confusing

robert.riggle — Fri, 10 Aug 2012 11:04:34 GMT

It's a 2960S switch running 12.2(55)SE5.

ACS Failed Authentication - Confusing

Tarik Admani — Sat, 11 Aug 2012 06:05:23 GMT

Robert,

I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.

So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.

Tarik Admani
*Please rate helpful posts*

ACS Failed Authentication - Confusing

robert.riggle — Mon, 13 Aug 2012 14:53:56 GMT

Thats what I needed to know, thanks. Its disapointing though...