Solved: 802.1x authentication host-mode on switch

rajulpar · ‎08-01-2019

Hi Everyone,

I have a question since I am deploying 802.1x port based security feature on CAT 29600 and following is the existing config with port-security enabled on the interface. Can I configure multi-auth for host mode on the interface ? As I have doubt it may not work as expected due to MAC aging and port-security violence.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#ID872

"In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x enforces a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port security is redundant and in some cases may interfere with expected IEEE 802.1x operations."

!
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 6
switchport port-security maximum 4 vlan access
switchport port-security maximum 2 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
auto qos trust dscp
spanning-tree portfast

What is the best way to configure authentication host-mode for the port which has security enabled ?

Damien Miller · ‎08-01-2019

It's generally not recommended to run port security and dot1x at the same time, you get some odd behavior when you do this.

From an old guide

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

For information on selecting multi-host mode, see the "Resetting the 802.1X Configuration to the Default Values" section.

These examples describe the interaction between 802.1X and port security on a switch:

•When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

–If 802.1X detects the violation, the action is to err-disable the port.

–If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

The following describes when port security and 802.1X security violations occur:

–In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.

–In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MAC addresses), a port security violation is triggered.

–In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a port security violation.

•When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then ensues.

•If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.

•Only 802.1X can remove the client's MAC address from the port security table. Note that in multi host mode, with the exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port security CLIs.

•Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port security table.

•All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.

View solution in original post

Damien Miller · ‎08-01-2019

It's generally not recommended to run port security and dot1x at the same time, you get some odd behavior when you do this.

From an old guide

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

For information on selecting multi-host mode, see the "Resetting the 802.1X Configuration to the Default Values" section.

These examples describe the interaction between 802.1X and port security on a switch:

•When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

–If 802.1X detects the violation, the action is to err-disable the port.

–If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

The following describes when port security and 802.1X security violations occur:

–In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.

–In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MAC addresses), a port security violation is triggered.

–In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a port security violation.

•When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then ensues.

•If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.

•Only 802.1X can remove the client's MAC address from the port security table. Note that in multi host mode, with the exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port security CLIs.

•Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port security table.

•All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.

paul · ‎08-02-2019

As Damien said, don't do this. Having tried this at a customer (against my will) and seeing the odd issues, I wouldn't recommend doing this. We ended up ripping all the port security off.

Nidhi · ‎08-02-2019

As Damien and Paul says, this is not recommended. from our Prescriptive deployment guide- ise-secure-wired-access-prescriptive-deployment-guide

Note: Even though the port-security interface command enforces MAC address limit, it is not compatible with the authentication/dot1x configurations on the switch port. In general, we recommend that you do not enable port security when IEEE 802.1x is enabled.

rajulpar · ‎08-05-2019

Thanks a lot everyone.!