Solved: Re: 3750 802.1x authentication shows successful, however, Security status still shows "Unsecure"

razor3105 · ‎06-12-2018

This is 3750 switch running 12.2(55)SE9.

Below is the output I am referring to:

RJ3750#show authentication sessions session-id C0A80302000000040003BCF4
Interface: FastEthernet2/0/4
MAC Address: 00e0.db46.66f4
IP Address: Unknown
User-Name: 00e0db4666f4
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure <<<< ----- Still shows unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: 3600s (local), Remaining: 3295s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: C0A80302000000040003BCF4
Acct Session ID: 0x00000006
Handle: 0xC5000004

Runnable methods list:
Method State
dot1x Authc Success <<<< --- While dot1x is Success
mab Not run

Here is the configuration at the port level:

interface FastEthernet2/0/4
switchport mode access
switchport nonegotiate
switchport voice vlan 10
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
mls qos trust device cisco-phone
mls qos vlan-based
dot1x pae authenticator
storm-control broadcast level 15.00
storm-control multicast level 10.00
spanning-tree portfast
spanning-tree guard root
end

Is it normal to see the Security Status still showing as unsecure? I am doing 802.1x with EAP and MSCHAPv2 using Secured Password.

I have been struggling with this setup as I am trying to get my EAP-TLS to work using certificates installed and signed by CA on the Windows DC and users are in AD group in the same DC. However, for now would like to at least get EAP-MSCHAPv2 working correctly, then move up to certificate security and encryption. Thanks.

Rob Ingram · ‎06-12-2018

Hi,

"Security Status" and "Security Policy" both relate to MACSec (host to switch encryption), which you are not running here. If you are merely running 802.1x then you can safely ignore those options.

Example here, you can see the same output you are querying except the Security Status is secured.

HTH

View solution in original post

Rob Ingram · ‎06-12-2018

Hi,

"Security Status" and "Security Policy" both relate to MACSec (host to switch encryption), which you are not running here. If you are merely running 802.1x then you can safely ignore those options.

Example here, you can see the same output you are querying except the Security Status is secured.

HTH

razor3105 · ‎06-12-2018

Hi, Thanks for the response.

So, to make sure I understand this correctly. If I am not doing anything
with MAC Security (encryption between supplicant and switch), then no need
to worry about those.
I would need to make sure the supplicant I am using supports MACSec in
order to be able to properly match the "Must-Secure" policy. Othersise
EAPOL packets will simply be transmitted between supplicant and switch
unencrypted. It is just another layer or level of security for the session.
Correct?

Rob Ingram · ‎06-12-2018

Correct, if you aren't using MACSec then you can safely ignore those options, 802.1x will work just fine.

I think only AnyConnect as a supplicant supports MACSec and then you'd have to configure ISE and the switch to use MACSec in order for it all to work.

HTH

razor3105 · ‎06-12-2018

Excellent! Thank you so much for your help.