topic Hi Neno,After several TAC in Network Access Control

FlexConnect Access Point - Wired 802.1X or MAB Authentication

mojocoops — Mon, 11 Mar 2019 05:07:57 GMT

Hi all,

We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.

I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?

Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?

Thanks in advance.

Regards,

Stephen.

Hi Stephen. You are correct,

nspasov — Thu, 23 Oct 2014 18:41:25 GMT

Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:

1. AP, authenticates via MAB and profiling

2. Client authenticates via PEAP/EAP-TLS, etc

3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.

So I have ran into this issue in my deployments and you have the following options (listed in preference order):

1. Eliminate FlexConnect 🙂

2. Utilize AutoSmartPorts where:

- If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled

- If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured

More info on auto smart ports:

http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html

3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.

Hope this helps!

Thank you for rating helpful posts!

Thanks Neno!Number 1 isn't an

mojocoops — Thu, 23 Oct 2014 23:57:05 GMT

Thanks Neno!

Number 1 isn't an option for our remote branches (where we need 802.1X and port security the most when APs are exposed).

I'll have a read about smart ports.

Are you able to provide a configuration example for multi-host mode with MAB that will work with a trunk port?

Also

Cheers,

Stephen.

Hi Stephan. The 802.1x

nspasov — Fri, 24 Oct 2014 00:39:28 GMT

Hi Stephan. The 802.1x configuration on the trunk port is exactly the same as it is on an access port. I was able to get it work and did not have any issues. When I asked Cisco "Exactly what part of 802.1x is not supported on a trunk" I was not given a straight answer 🙂 Now, I never deployed it because the customer did not like the multi-host mode so I don't know what the long term consequences are. Thus, take that option/solution with a grain of salt. Otherwise the command is

authentication host-mode multi-host

If solution #1 is not an option then I would highly recommend that you use the auto-smart ports. They are pretty powerful and you can do a lot of different things with the default and custom built macros. They can also be a little tricky so make sure you test it in your lab first. The first time I did it all of my trunk ports got auto-configured and let's just say that a lot of things stopped working 🙂

Thank you for rating helpful posts!

Hi Neno,After several TAC

mojocoops — Thu, 23 Jul 2015 05:44:08 GMT

Hi Neno,

After several TAC cases to try and get smart ports working, it turns out smart port macros aren't supported for FlexConnect/HREAP access points; only local mode access points.

So the only options are to change away from FlexConnect, tag the native VLAN (only supported on 3750s and not 2960s), or implement management VLAN access lists (which is best practise anyway).

No other way to secure access point ports unfortunately.

Regards,

Stephen.

Stephen, I have used ise

jan.nielsen — Thu, 23 Jul 2015 15:01:55 GMT

Stephen,

I have used ise triggered smart port mcros in the past, to change a port to a trunk, when certain devices are attached, for example an AP, based on it's mac address, and that works fine, auto smart ports don't need to "support" anything really, as they are just running config commands on a port, based on what ise tells it to do.

Is this not the scenario you are using ?

Hi Jan,Tried using macros

mojocoops — Thu, 23 Jul 2015 23:02:56 GMT

Hi Jan,

Tried using macros based on MAC addresses but they still weren't triggering, TAC suspected a bug with IOS version 12.2(55)SE5. They suggested upgrade to IOS 15 however then we run into bug CSCta05071 relating to CoA for wired 802.1X.

What IOS version were you successfully running this on?

Cheers,

Stephen.

I believe after much

jan.nielsen — Thu, 23 Jul 2015 23:07:04 GMT

I believe after much instability and bugs found in 12.2(55)SE5 or 6 i think was out at the time, we ended up with 12.2(58)SE2 as the most stable, and where it worked. As i remember one thing to disable is the.auto processing of macros, or it will start to trigger on the built in macros instead of just the ones you give it from ISE.

Thanks Jan.Yes I made that

mojocoops — Thu, 23 Jul 2015 23:28:49 GMT

Thanks Jan.

Yes I made that mistake once on my lab setup, and it reconfigured the trunk uplink to the router and so I lost connectivity to it - had to fix via console 🙂

Hi Neno. Tried to implement

Mats Nilson — Tue, 22 Sep 2015 08:38:41 GMT

Hi Neno.

Tried to implement MAB authentication on a trunk port but I didn't get it to work properly. How did you set it up? Did you configure native vlan or did you leave it on default?

We are running a POC where we need MAB with FlexConnect AP's

Here's the portconfig:

Switch#sh run | begin interface GigabittEthernet1/0/18
interface FastEthernet1/0/18
description SA-DEFAULT_1.1
switchport trunk encapsulation dot1q
switchport trunk native vlan 123 !* Have tried with default setting also
switchport mode trunk
switchport protected
switchport block unicast
ip arp inspection limit rate 20
no logging event link-status
no logging event power-inline-status
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-host ! No success with this entry and Trunk
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
ipv6 traffic-filter IPV6 in
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x timeout supp-timeout 20
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input XXXXXX
ip verify source
ip dhcp snooping limit rate 20
!

Thanks in advance

What version of code are you

nspasov — Tue, 22 Sep 2015 15:11:17 GMT

What version of code are you running? I did forget to mention that you need to be on the 15.x train.

Hi Neno.

Mats Nilson — Thu, 24 Mar 2016 11:24:43 GMT

Hi Neno.

I'm running on 15.0(2)SE9 with IP base on a Cat 3750E

After upgrade to above release we actually got the smartport macros to be triggered by ISE. However this state is not secure and it looks like ISE is expecting a second auth that never happens since it regards the port as multiple device port. Do you have any idea to solve this?

sh authentication interface g1/0/44

Client list:
Interface MAC Address     Method   Domain   Status         Session ID
Gi1/0/44   1c6a.7a58.6308 mab      DATA     Authz Success 0A3EE006000008A19F6303A7

Available methods list:
Handle Priority Name
    3        0      dot1x
    4        1      mab
Runnable methods list:
Handle Priority Name
    3        0      dot1x
    4        1      mab

as111.slu2#sh authentication sess interface g1/0/44
            Interface: GigabitEthernet1/0/44
          MAC Address: 1c6a.7a58.6308
           IP Address: Unknown
            User-Name: 1C-6A-7A-58-63-08
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: in
        Authorized By: Authentication Server
          Vlan Policy: N/A
              ACS ACL: xACSACLx-IP-dACL-MI-CAPWAP-55fa71f9
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A3EE006000008A19F6303A7
      Acct Session ID: 0x000013D7
               Handle: 0xB30008A2

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

Re: Hi Neno.

Vivek Ganapathi — Wed, 13 Dec 2017 07:20:46 GMT

Hi Mats,

Just wondering if were successful in sorting out this issue? I'm running into a similar issue with our FlexConnect APs. We ran into two different sets of issues with our Multi-Host setup.

1) At few of our branches, we noticed that the first MAC learnt is a workstations MAC which is connected through the AP. Technically, AP must be the first MAC seen by switch. Don't know whats causing this.

2) The dACL we issued via ISE is restrictive and only allows certain ports. This seems to be breaking the connectivity of the workstations connected to the SSID. So, I'm suspecting if I have a missing port in my dACL or the dACL is applied to the entire session instead of applying it to the first MAC seen by the switch. By the same ACL we are issuing for our LWAPP APs & they seem to be working absolutely fine. Below is the dACL I have -

remark Allow Control and Provisioning of Wireless Access Points (CAPWAP) protocols.

permit udp any any range 5246 5248

permit udp any range 5246 5248 any

remark Allow Lightweight Access Point Protocol (LWAPP)

permit udp any any range 12222 12224

permit udp any range 12222 12224 any

remark Allow remote access (telnet and SSH)

permit tcp any range 22 23 any

remark Allow DHCP

permit udp any any eq 67

permit udp any any eq 68

remark Allow DNS

permit udp any any eq 53

remark Allow RDLP

permit udp any any eq 6352

remark Allow NSI Protocol

permit udp any any eq 37540

permit udp any any eq 37550

remark Allow TFTP

permit udp any any eq 69

remark Allow FTP

permit tcp any any eq 21

remark Allow Syslog

permit udp any any eq 514

permit icmp any any

deny ip any any

Do you reckon there could be few more ports for FlexConnects?

Regards

Vivek