topic 802.1x Weird behavior in Network Access Control

802.1x Weird behavior

phatrachit — Mon, 11 Mar 2019 00:57:10 GMT

I got problem with testing 802.1x MDA. The AUTH-MGR notified me with weird error messages.

*Mar 1 06:41:05.610: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up

*Mar 1 06:41:17.470: %AUTHMGR-5-START: Starting 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87

*Mar 1 06:41:17.470: AAA/AUTHEN/8021X (0000001E): Pick method list 'default'

*Mar 1 06:41:17.758: %MAB-5-SUCCESS: Authentication successful for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87

*Mar 1 06:41:17.763: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87

*Mar 1 06:41:17.763: %AUTHMGR-5-FAIL: Authorization failed for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87*

*Mar 1 06:42:18.402: %MAB-5-SUCCESS: Authentication successful for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87

*Mar 1 06:42:18.408: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E87

SW-DOT1X#sh authentication int g

*Mar 1 06:42:18.408: %AUTHMGR-5-FAIL: Authorization failed for client (a8b1.d4fb.4dc9) on Interface Gi1/0/13 AuditSessionID 0A6464C80000000D016F2E871/0/13

Client list:

Interface MAC Address Method Domain Status Session ID

Gi1/0/13 a8b1.d4fb.4dc9 mab DATA Authz Failed 0A6464C80000000D016F2E87

Available methods list:

Handle Priority Name

3 0 dot1x

2 1 mab

Runnable methods list:

Handle Priority Name

2 0 mab

3 1 dot1x

SW-DOT1X#sh authentication session int g1/0/13

Interface: GigabitEthernet1/0/13

MAC Address: a8b1.d4fb.4dc9

IP Address: Unknown

User-Name: a8b1d4fb4dc9

Status: Authz Failed

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A6464C80000000D016F2E87

Acct Session ID: 0x0000001D

Handle: 0xBC00000D

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

===================================================================================

interface GigabitEthernet1/0/13

switchport access vlan 50

switchport mode access

switchport voice vlan 60

authentication host-mode multi-domain

authentication order mab dot1x

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

end

On ACS

Configure RADIUS IETF attributes already

- 64/65/81 and cisco-av-pair

Re: 802.1x Weird behavior

greg.fuller — Tue, 29 Mar 2011 19:44:04 GMT

Does VLAN 50 exist on the switch in question? It looks like your MAB authentication is successful so you should be good so long as vlan60 exists on the switch. We return a VLAN name/number from RADIUS with authentication requests (MAB and non-MAB authentication requests) to allow for dynamic VLAN switching based upon the user credentials or MAC (replaces our old VMPS based solution). If the VLAN name/number doesn't exist on the switch we get the Authorization Failure ("Authz Failed" status).

Also if your running in MBA mode you'll need to make sure you return the something like the following if the device is an IP phone:

cisco-avpair = "device-traffic-class=voice"
Tunnel-Type=1:VLAN
Tunnel-Medium-Type=1:Ether_802
Tunnel-Private-Group-ID=1:VOICE-LAN

If your not doing IP phone dot1x authentication, then you don't need to be running in MDA mode. Get rid of that and just configure the port for multi-host or single host mode.

--greg

Re: 802.1x Weird behavior

phatrachit — Thu, 31 Mar 2011 19:55:01 GMT

Thank you for reply, Greg

I change some configuration on the switch and IP Phone can authenticated with MAB and get the authorized on that port but when i showed the command "show dot1x int g1/0/13" the status on that port is UNAUTHORIZED.

========================================================================================

sh authen sess int g1/0/13

Interface: GigabitEthernet1/0/13

MAC Address: d0d0.fd70.e70b

IP Address: Unknown

User-Name: d0d0fd70e70b

Status: Authz Success

Domain: VOICE

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 130

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A080E4C0000009C43BE8EC5

Acct Session ID: 0x000004DD

Handle: 0xC100009C

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

sh dot1x int f0/13 detail

Dot1x Info for FastEthernet0/13

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_DOMAIN

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED

========================================================================================

interface GigabitEthernet1/0/13

switchport access vlan 50

switchport mode access

switchport voice vlan 60

authentication host-mode multi-domain

authentication order mab dot1x

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key cisco

radius-server vsa send authentication

========================================================================================

For your last paragraph

If your not doing IP phone dot1x authentication, then you don't need to be running in MDA mode. Get rid of that and just configure the port for multi-host or single host mode.

What do you mean? i don't understand why you said i don't have to running in MDA mode. Because when i removed the MDA mode and do not configure cisco-av-pair attribute on ACS the switch will send an error like this

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface interface GigabitEthernet1/0/13, new MAC address (0080.647f.c590) is seen.
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface interface GigabitEthernet1/0/13, new MAC address (0080.647f.c590) is seen.
%PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/13, putting Gi1/0/13 in err-disable state

Re: 802.1x Weird behavior

greg.fuller — Thu, 31 Mar 2011 20:30:51 GMT

Didn't see that you were using an IP phone for testing with before. So you have your radius server set to send for something like the following when the it does a MAB authentication (from your config the port will try to login with MAB first before dot1x):

Username=d0d0.fd70.e70b

     cisco-avpair = "device-traffic-class=voice"
     Tunnel-Type=1:VLAN
     Tunnel-Medium-Type=1:Ether_802
     Tunnel-Private-Group-ID=1:130

What switch model and IOS version are you using? We were experiencing a port-security error that would err-disable the port like you have listed. We got a bug filed for it and it was resolved for us in 12.2(55)SE on the 3750v2-48PS.

Have you looked at this guide at all:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

That guide came out basically right after I figured all of this out without a single source document like the above. It give very good details of how to go through and configure all of this.

We authenticate our 7942G/7962G/7975G phones via the built-in MIC with EAP-TLS, and our clients behind the phones with EAP-PEAPv0. We are using OSC Radiator for our radius server instead of ACS.

This is what we use for our basic dot1x port configs via a macro:

testswitch-03#sh parser macro name DOT1X-VOIP
Macro name : DOT1X-VOIP
Macro type : customizable
switchport mode access
switchport access vlan 257
switchport voice vlan 258
cdp enable
cdp tlv server-location
cdp tlv app
speed auto
duplex auto
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
authentication event fail retry 3 action authorize vlan 257
authentication event no-response action authorize vlan 257
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
switchport port-security
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
storm-control broadcast level 10.00
storm-control multicast level 50.00
storm-control action trap
auto qos voip cisco-phone

--greg