https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840393#M5530 <HTML><HEAD></HEAD><BODY><P>Web-Auth and MDA are not supported together.</P></BODY></HTML> Fri, 28 Sep 2007 18:10:39 GMT jafrazie 2007-09-28T18:10:39Z https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840392#M5526 <P>Scenario: Cat3560 using 802.1x Multidomain Authentication (MDA) on the access ports. Which means Nortel Phones authenticating into the voice domain and cascaded PCs authenticating into the data domain on the same access port. MAC Authentication Bypass (MAB) takes care about 802.1x unaware hosts. RADIUS server is a MS IAS machine.</P><P></P><P>So far everything works perfectly. Now the customer wants to use Web Authentication as an additional fallback method.</P><P></P><P>Problem: The dot1x process doesn't get that far to offer Web Authentication in our setup, it seems to get stuck in MAB.</P><P></P><P>After a lot of testing I nailed the problem down to MDA. As soon as I change 'dot1x host-mode multi-domain' to 'dot1x host-mode single-host', Web Authentication starts to work.</P><P></P><P>Question: Does anybody know about restrictions regarding Web Auth and MDA?</P><P></P><P>Tested IOSes are 12.2(37)SE and 12.2(40)SE.</P><P></P><P>Below you'll see the outputs of 'sh dot1x int fa0/1 det', which represent the final port states:</P><P></P><P>Using MDA:</P><P></P><P>Dot1x Authenticator Client List</P><P>-------------------------------</P><P>Domain = UNKNOWN</P><P>Supplicant = 0018.8bae.c4ab</P><P> Auth SM State = AUTHENTICATING (FALLBACK)</P><P> Auth BEND SM State = IDLE</P><P>Port Status = UNAUTHORIZED</P><P>ReAuthPeriod = 0</P><P>ReAuthAction = Terminate</P><P>TimeToNextReauth = 0</P><P>Authentication Method = MAB</P><P></P><P></P><P>Using Single-Host:</P><P></P><P>Dot1x Authenticator Client List</P><P>-------------------------------</P><P>Domain = DATA</P><P>Supplicant = 0018.8bae.c4ab</P><P> Auth SM State = AUTHENTICATED</P><P> Auth BEND SM State = IDLE</P><P>Port Status = AUTHORIZED</P><P>ReAuthPeriod = 0</P><P>ReAuthAction = Terminate</P><P>TimeToNextReauth = 0</P><P>Authentication Method = WebAuth</P><P>Authorized By = Authentication Server</P><P>Vlan Policy = N/A</P><P></P><P></P><P>Thanks for any help.</P><P>Toni</P> Fri, 21 Feb 2020 18:19:12 GMT https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840392#M5526 tgrundbacher 2020-02-21T18:19:12Z https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840393#M5530 <HTML><HEAD></HEAD><BODY><P>Web-Auth and MDA are not supported together.</P></BODY></HTML> Fri, 28 Sep 2007 18:10:39 GMT https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840393#M5530 jafrazie 2007-09-28T18:10:39Z https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840394#M5533 <HTML><HEAD></HEAD><BODY><P>Hi jafrazie</P><P></P><P>Thanks for your reply. Since you work with Cisco I assume this is an official statement.</P><P></P><P>Regarding the incompatibility of the two features: It would be nice if a) this restriction would be mentioned in the documentation somewhere and b) that IOS would deny the fallback command if MDA is already in use.</P><P></P><P>Toni</P></BODY></HTML> Mon, 01 Oct 2007 05:50:18 GMT https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840394#M5533 tgrundbacher 2007-10-01T05:50:18Z https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840395#M5536 <HTML><HEAD></HEAD><BODY><P>Hi All, what is the alternative? I'm having the same setup with only one ACS and the customer is asking for a fallback method</P></BODY></HTML> Thu, 18 Dec 2008 09:50:48 GMT https://community.cisco.com/t5/network-access-control/web-authentication-and-mda/m-p/840395#M5536 k.abillama 2008-12-18T09:50:48Z