Hi Jason,

My ACS is Release 4.1(1) Build 23 Patch 1.

I configured the AAA client to use RADIUS (Cisco IOS/PIX 6.0). I didn't check the "Enable Authenticated Port cisco-av-pair" in Interface Configuration -> RADIUS (Cisco IOS/PIX 6.x). Is it required?

Below is Release Notes for Cisco Secure ACS 4.1.4:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.4/release/notes/Release_Notes_for_Cisco_Secure_ACS_4.1.html

Referring to Table 2 Resolved Caveats in ACS Windows and Solution Engine 4.1.4, yes it appears I'm running into the following bug:

CSCsh62641 MAC authentication causes internal errors.

Checking the Bug ID using Bug Toolkit, the workarounds are as follows:

1. Downgrade to ACS 4.0.

2. Add the MAC addresses to be authenticated to a NAP under the "Internal ACS DB" MAC Address table.

I guess if I upgrade my ACS to version 4.1.4, I don't need to configure NAP. The issue should be resolved. Kindly advise.

Thank you.

B.Rgds,

Lim TS

Hi Jason,

Please find attached the Readme for ACS 4.1.3.12.1 accumulative patch.

Important Notice:

====================

With respect to DDTS CSCsh62641,following will be the behavior after applying this patch,

*With the presence of Service-Type(6) = 10 and presence of NAP will invoke MAB

*With the presence of Service-Type(6) = 10 and non-existence of NAP will invoke MAC authentication

I don't understand what is Service-Type(6) = 10. What I'm configuring on my switchport is MAC Authentication Bypass (MAB), I suppose. Do I have to configure NAP to invoke MAB after the patch is applied, as stated in the above notice? And what's the difference between MAB and MAC authentication?

I plan to upgrade directly to version 4.1.4. What's your opinion?

Please advise.

Thank you.

B.Rgds,

Lim TS

Hi Jason,

Appreciate it if you can shed some light on my previous questions. Need help.

Thank you.

B.Rgds,

Lim TS

Apologies. Can you post them again in a single note?

Hi Jason,

Please find attached the Readme for ACS 4.1.3.12.1 accumulative patch.

Important Notice:

====================

With respect to DDTS CSCsh62641,following will be the behavior after applying this patch,

*With the presence of Service-Type(6) = 10 and presence of NAP will invoke MAB

*With the presence of Service-Type(6) = 10 and non-existence of NAP will invoke MAC authentication

I don't understand what is Service-Type(6) = 10. What I'm configuring on my switchport is MAC Authentication Bypass (MAB), I suppose. Do I have to configure NAP to invoke MAB after the patch is applied, as stated in the above notice? And what's the difference between MAB and MAC authentication?

I plan to upgrade directly to version 4.1.4. What's your opinion?

Please advise.

Thank you.

B.Rgds,

Lim TS

There's really no difference b/t MAC-Authentication and MAB. The terms are synonymous. The nomenclature on the referenced ACS documentation is ambiguous.

You should upgrade to 4.1.4, yes. Actually, if you're upgrading, I'd really recommend 4.2.

Onto the details:

MAB triggers RADIUS when it authenticates. On Cisco switches, the Service-Type Attribute is always sent when a MAB request is transmitted by the switch for RADIUS. Service-Type is RADIUS Attribute[6]. FWIW, WLAN-Controllers do the same thing when they perform MAC-Authentication as well.

Also, if Service-Type = 10 this is "Call-Check". This gives the AAA server the option of looking at only RADIUS-Attribute [31], which is the Calling-Station-ID field. This is also the MAC address of the end station. Technically, the switch could be setting this attribute for any type of RADIUS traffic (but it's always set for MAB). This is typically termed MAC-Filtering. If you relate it back to dial-in days, this would be the ability to accept a phone-call simply b/c the called-from phone# was coming from the correct area code (for example), else you could deny it. It's essentially the same thing here .. just that the called-from phone# is actually a MAC address.

So essentially, it should be able to work either way. Either with the MAC address defined as an actual user account in your database, or in a stored list of MAC-addresses.

However, the confusion in terms here part of the hold-up. Here's what the documentation should really say:

*With the presence of Service-Type(6) = 10 and presence of NAP this will invoke MAC-Filtering; meaning it will only process Attribute[31] (Calling-Station-ID) and compare this value with that in a flat file stored in ACS. (aka MAC-Filtering).

*With the presence of Service-Type(6) = 10 and non-existence of NAP this will invoke MAC-Authentication; meaning the request is processed as a normal authentication level event, also meaning the MAC must be stored as a user account somewhere with the correct password (equal to the MAC address of course). (aka MAC-Authentication).

Let me know if this helps,

Hi Jason,

I appreciate your speedy response and good explanation.

In my case, I don't configure NAP. So it will invoke MAC-Authentication (MAB?), right?

For the sake of knowledge, can you kindly point me to a URL that shows how to store a list of MAC addresses in a flat file in ACS, i.e. MAC Filtering?

With reference to my earlier post, in the ACS I created a group for the IP phone and specify "device-traffic-class=voice" as the cisco-av-pair. Is this valid config for Nortel IP phone?

I'm comfortable to upgrade to version 4.1.4 at this moment. I'll let you know the result.

Thank you.

B.Rgds,

Lim TS

Correct, if you don't configure a NAP, then you'll need a user account in ACS created as the MAC-Address itself. Here's an example with wireless:

<http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml>

Except in your case, the format of the MAC would be all lower case with no punctuation, since it's coming from a wired switch.

If you're interested in how to input a list of MACs, look here:

<http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/acs_config.pdf>

Page 6-21. NOTE: The prior ambiguity remains here. Just think "MAC-Filtering" where it says "MAB" here, and it should be better ;-).

For your previous question, that's also correct. You need to specify that VSA for Multi-Domain-authentication. See here for an example on that:

<http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA>

In this example, the phone is running 1X, but the "user account" setup for the phone is virtually the same .. it's just a username/password.

I can forward you a deployment guide for MAB in general too, so let me know if you'd like that .. avoiding doc reference overload on your for now ;-).

Hope this helps,

Hi Jason,

Thanks a lot for all the information.

I'm waiting for my customer to provide a server machine to install ACS version 4.1.4 for me to continue my testing.

Meanwhile, below is my switch port config:

!

interface FastEthernet0/48

description *** 802.1x Test Port ***

switchport access vlan 70

switchport mode access

switchport voice vlan 71

no snmp trap link-status

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

dot1x violation-mode protect

dot1x timeout tx-period 15

dot1x max-reauth-req 1

dot1x guest-vlan 999

spanning-tree portfast

!

I enabled 802.1x authentication (XP native) on my laptop, connect it directly to the switch port, and successfully authenticated with the current ACS 4.1.1.

When I connected the Nortel-LG IP phone to the switch port and my laptop behind the IP phone, below is the result:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Switch#sh dot1x interface fa0/48 de

Dot1x Authenticator Client List

-------------------------------

Domain = UNKNOWN

Supplicant = 0040.5a17.c630

Auth SM State = AUTHENTICATING (FALLBACK)

Auth BEND SM State = IDLE

Port Status = UNAUTHORIZED

Authentication Method = MAB

Domain = UNKNOWN

Supplicant = 001e.3782.3378

Auth SM State = AUTHENTICATING (FALLBACK)

Auth BEND SM State = IDLE

Port Status = UNAUTHORIZED

Authentication Method = MAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The phone's MAC address is 0040.5a17.c630. My laptop's MAC address is 001e.3782.3378. Finally, the port went into UNAUTHORIZED state (see below). In the ACS Failed Attempts logs, both MAC addresses failed with Authen-Failure-Code = "Internal error".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Switch#sh dot1x interface fa0/48 de

Dot1x Authenticator Client List Empty

Domain = UNKNOWN

Port Status = UNAUTHORIZED

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I wonder why the switch did not detect my domain as DATA. Secondly, why the switch fellback to MAB while I had 802.1x supplicant enabled? I'm expecting it to authenticate my laptop using 802.1x (and not MAB) regardless of whether the IP phone pass or fail the authentication in the VOICE domain.

Please shed some light.

Thank you.

B.Rgds,

Lim TS

OK, so a few things:

1) If your device (PC or phone) ever did EAPOL, then it should not fallback to MAB. NEed to verify if the supplicant process needs to be re-started, or something.

2) Something's a-miss with the ACS config, or the bug is still present. You should not get "internal error" by simply doing MAC-Authentication.

3) The domain will actually not reflect "DATA" or "VOICE" until after authorization is done. For example, until the "device-traffic-class=voice" VSA comes back to the switch, the switch will default to treating it as a generic device anyway. The reason it's staying "UNKNOWN" for both of you here is #2 above. We just need to get MAC-Authentication working for you for that part.

Hope this helps,

Hi Jason,

I tried to configure NAP in my existing ACS (ver 4.1.1) to work around the bug ID CSCsh62641. My NAP config is as follows:

Name : Test_MAB_NAP

> Active --> Checked

> NAF --> (Any)

> Protocol types --> Allow any Protocol type

> Advanced Filtering --> [006]Service-Type = 10

Policies : Protocols

> Authentication Protocols --> Allow Agentless Request Processing (Checked)

Policies : Authentication

> Credential Validation Databases --> Selected Databases --> ACS Internal Database

User Setup

----------

User : 00405a17c630 (Nortel-LG IP phone's MAC address)

Password : 00405a17c630

Group : IP_Phone_Test_Group

Group Setup

-----------

IP_Phone_Test_Group

Checked [009\001] cisco-av-pair

device-traffic-class=voice

I got a Passed Authentication :-) However, the switch put the phone in the DATA domain (VLAN 70), instead of VOICE (VLAN 71). Please see below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Switch#sh dot1x int f0/48 de

Dot1x Info for FastEthernet0/48

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_DOMAIN

Violation Mode = PROTECT

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 15

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Inactivity Timeout = None

Guest-Vlan = 999

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0040.5a17.c630

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB

Authorized By = Authentication Server

Vlan Policy = N/A

Switch#sh span int f0/48

Vlan Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

VLAN0070 Desg FWD 19 128.52 P2p Edge

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How does RADIUS tell the switch how to differentiate a device by DATA or VOICE domain? I suspect the cisco-av-pair ("device-traffic-class=voice") is not right. Any idea?

Thank you.

B.Rgds,

Lim TS

This is progress .. very nice ;-).

I would verify the VSA is actually getting transmitted.

The reception of the VSA itself is what allows the domain to be "VOICE". Also make sure you have "aaa authorization network default groups radius" turned on (or whatever your server-group equivalent might be).

Hi Jason,

Thanks :-)

The ACS that I'm testing now is actually a production ACS used to authenticate wireless clients (through WLC). Do you see any issue with my NAP config? I have verified that the WLAN authentication does not match the NAP and thus is not affected.

How do you verify that the VSA is getting transmitted by RADIUS to the switch? Is there a debug command I can enable on the switch?

Oh, I don't have the "aaa authorization network default groups radius" command configured. I will try this command soon and hopefully it solves the issue. Once the Nortel phone is correctly authenticated (via MAB) in the VOICE domain, I'm gonna connect my laptop behind the phone and test if 802.1x authentication succeeds.

I foresee there's one more issue. I don't think the Nortel phone will signal to the switch if its connected PC is unplugged. An unauthorized user may connect to the phone and gain access to the network without authentication. Do you have a recommended solution to this?

Thank you.

B.Rgds,

Lim TS

A debug radius would show you the VSA inside of the RADIUS-Access-Accept packet (or wire sniff .. either way).

If you're getting "passed authentications" on ACS and they match that NAP, then I'd assume it's a-OK.

The "aaa authorization network default group radius" command (or lack thereof) is your smoking gun.

RADIUS attributes received in IOS are NOT automatically implemented if 802.1X is enabled. In essence, anything you need RADIUS to do beyond enabling the port, you certainly need this command for. Alot of times, when you get "802.1X works, but VLAN-Assignment doesn't", this is typically the culprit as well.

As for your Nortel phones, not sure ;-). If you're using 802.1X on clients that plug into phones, we rely on phones to send an EAPOL-Logoff frame to the switch when someone unplugs from the phone. Most Cisco phones do this today. Also, if the PC was authenticated via MAB, a local inactivity timer can be used on the switch. I'm just ignorant on the capabilities of a Nortel phone is all.

Hope this helps,