Solved: 802.1x Mab Authentication with Radius and win7

krlosqb01 · ‎04-21-2016

Good afternoon!

I have a question about 802.1x. I set up a lab in which I configured mab authentication with 802.1x, but I have a weird behavior from my network controller. On the switch (4948e) I can see that the user is being authenticated and authorized and I can see these outputs from my switch:

Apr 21 15:13:30.263: %AUTHMGR-5-START: Starting 'mab' for client (a01d.48ac.b7f
5) on Interface Gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
*Apr 21 15:13:30.267: %MAB-5-SUCCESS: Authentication successful for client (a01d
.48ac.b7f5) on Interface Gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
*Apr 21 15:13:30.267: %AUTHMGR-7-RESULT: Authentication result 'success' from 'm
ab' for client (a01d.48ac.b7f5) on Interface Gi1/11 AuditSessionID C0A8DF9C00000
02E002F3DAC
*Apr 21 15:13:31.299: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (a0
1d.48ac.b7f5) on Interface Gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC

If I type "show authentication session", this is the corresponding output.

Switch#show authentication sessions

Interface MAC Address Method Domain Status Session ID
Gi1/11 a01d.48ac.b7f5 mab DATA Authz Success C0A8DF9C0000002E002F3DAC

The thing is that when I check my network controller, it says " authentication error". This is what I have done so far:

1. I have Restarted my pc, same behavior.

2. I have disabled and enabled my network controller, same behavior.

3. I have reloaded the Switch and re-configured. Same behavior.

4. I tested the configuration with another PC. Same behavior.

5. I changed the configuration to "user authentication" using dot1x pae authenticator and it worked.

This is the configuration that I have on my switch:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common

!

dot1x system-auth-control

!

Switch#show run int gigabitEthernet 1/11
Building configuration...

Current configuration : 128 bytes
!
interface GigabitEthernet1/11

description Cx-to-Host
switchport access vlan 223
switchport mode access
authentication port-control auto
mab
end

This is the first time that I am setting up a 802.1x configuration. Am I doing something wrong?

I really hope that I am not the only with this kind of behavior!

Thank you very much for any help that you can provide me!

Peter Koltl · ‎04-28-2016

Status: Authz Success

It means the port is open. Is this permanent? Keep looking at the show output for some minutes to see if it tries dot1x too. Can you ping from the PC?

As long as 802.1X authentication is enabled in the PC NIC properties you should expect dot1x method to run on the switch and possibly reply to the PC with auth fail. Authentication checkbox in the PC is not necessary for MAB.

What kind of RADIUS server do you use and does it have 802.1X policy in addition to MAB policy?

IP Address:Unknown

it means the switch did not recognize the host's IP address, probably due to lack of

ip device tracking

command. But it is not necessary for plain MAB or dot1x.

View solution in original post

Peter Koltl · ‎04-24-2016

dot1x pae authenticator is necessary.

What kind of 'network controller' are you using?

So is it working or not? PAste the error log here.

krlosqb01 · ‎04-25-2016

Thanks for your response Peter,

My network controller is a " Realtek PCIe GBE Family Controller".

No Mr. Peter, it is not working because is not being authenticated with the MAC address of the network controller.

I configured "dot1x pae authenticator" and this is the corresponding output:

*Mar 1 00:09:14.344: %AUTHMGR-5-START: Starting 'dot1x' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:09:15.929: %DOT1X-5-FAIL: Authentication failed for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:09:15.929: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:09:15.929: %AUTHMGR-5-FAIL: Authorization failed for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:09:16.122: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
*Mar 1 00:11:48.745: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/11
*Mar 1 00:11:48.745: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/11
*Mar 1 00:11:48.745: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/11.

The problem is that the switch is not sending the MAC address as the user. Instead, it is sending the domain name of the PC, here is the output:

**edit

*Mar 1 00:12:38.036: RADIUS: User-Name [1] 14 "host/Sena-HP"
*Mar 1 00:12:38.036: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:12:38.036: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:12:38.036: RADIUS: Called-Station-Id [30] 19 "3C-CE-73-A7-1F-8B"
*Mar 1 00:12:38.036: RADIUS: Calling-Station-Id [31] 19 "E4-11-5B-2D-85-2A"
*Mar 1 00:12:38.036: RADIUS: EAP-Message [79] 45

How do I tell the switch to send the MAC address instead of the domain of the PC?

Peter Koltl · ‎04-25-2016

You may use the official term 'network controller' for your NIC/network card/network adapter but nobody may understand it. (-:

show authentication session int Gi1/11 command will show the port 802.1x state. After dot1x failure it should fail over to mab. See this guide around Fig 41

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html

You may tune it with

authentication order

and

authentication priority

commands.

krlosqb01 · ‎04-27-2016

Thank you for your answer Mr. Peter, and for your advice!.

I changed the configuration on the switch and this is the output that I am getting:

(I also changed the Switch from 4948e to 2960 because I was getting the same result which I am going to show you now)

This is the output on the 2960

*Mar 1 00:12:55.107: %AUTHMGR-5-START: Starting 'mab' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:12:55.115: %MAB-5-SUCCESS: Authentication successful for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:12:55.115: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:12:56.155: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:12:56.592: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
*Mar 1 00:12:57.598: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up

As you can see, I am being authenticated and Authorized, but when I check the "show authentication session interface Fas0/11" this what im seeing.

Sw02_Lab_2960#show authentication sessions interface fastEthernet 0/11
Interface: FastEthernet0/11
MAC Address: e411.5b2d.852a
IP Address: Unknown
User-Name: e4115b2d852a
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8DF9C00000007000BD1BB
Acct Session ID: 0x00000009
Handle: 0x61000007

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

I am not getting any IP address, no matter how many times I clear the session, sometimes it gives me an IP with the same configuration, and sometimes it doesn't..

This is the current configuration of the port:

Sw02_Lab_2960#show run int fastEthernet 0/11
Building configuration...

Current configuration : 217 bytes
!
interface FastEthernet0/11
switchport access vlan 223
switchport mode access
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
end

I also tried the same configuration without "dot1x pae authenticator" and this is the corresponding output:

*Mar 1 00:20:29.325: %AUTHMGR-5-START: Starting 'mab' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:20:29.342: %MAB-5-SUCCESS: Authentication successful for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:20:29.342: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:20:30.373: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (e411.5b2d.852a) on Interface Fa0/11
*Mar 1 00:20:30.852: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
*Mar 1 00:20:31.858: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up

Sw02_Lab_2960#show authentication sessions interface fastEthernet 0/11
Interface: FastEthernet0/11
MAC Address: e411.5b2d.852a
IP Address: Unknown
User-Name: e4115b2d852a
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8DF9C000000080012C02F
Acct Session ID: 0x0000000A
Handle: 0x91000008

Runnable methods list:
Method State
mab Authc Success

Same results.

Is it normal that the switch does not provide any IP address when is being authenticated with MAB? Also, if I am being authenticated with MAB, should I use "mab eap" in order to have full connectivity?

Another problem is that my NIC is not being authenticated (honestly dont know why) even if I being authenticated and authorized by the RADIUS server. See the atachment

Peter Koltl · ‎04-28-2016

Status: Authz Success

It means the port is open. Is this permanent? Keep looking at the show output for some minutes to see if it tries dot1x too. Can you ping from the PC?

As long as 802.1X authentication is enabled in the PC NIC properties you should expect dot1x method to run on the switch and possibly reply to the PC with auth fail. Authentication checkbox in the PC is not necessary for MAB.

What kind of RADIUS server do you use and does it have 802.1X policy in addition to MAB policy?

IP Address:Unknown

it means the switch did not recognize the host's IP address, probably due to lack of

ip device tracking

command. But it is not necessary for plain MAB or dot1x.

krlosqb01 · ‎04-29-2016

Thanks a lot Mr. Peter!!!!!!!!

I just tested the configuration that you said and it worked (by unchecking the checkbox in the PC).

When the checkbox int the PC was enabled, I was getting authenticated (on the switch) but I was getting "authentication error" on the NIC and i was not able to ping, I also tried with the ip device tracking as well and didn't work.

The final configuration on the Switch is this one:

Sw02_Lab_2960#show run int fastEthernet 0/11
Building configuration...

Current configuration : 149 bytes
!
interface FastEthernet0/11
switchport access vlan 223
switchport mode access
authentication port-control auto
mab
spanning-tree portfast
end

This is the output when unauthorized (Do not have connectivity)

Sw02_Lab_2960#show authentication sessions interface fastEthernet 0/11
Interface: FastEthernet0/11
MAC Address: 5cb9.01b8.bb78
IP Address: Unknown
User-Name: UNRESPONSIVE
Status: Authz Failed
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8DF9C000000070014F190
Acct Session ID: 0x0000000A
Handle: 0xC9000007

Runnable methods list:
Method State
mab Failed over

This is the output when authorized (I have connectivity )

Sw02_Lab_2960#show authentication sessions interface fastEthernet 0/11
Interface: FastEthernet0/11
MAC Address: a01d.48ac.b7f5
IP Address: Unknown
User-Name: a01d48acb7f5
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8DF9C000000080017D20F
Acct Session ID: 0x0000000B
Handle: 0x04000008

Runnable methods list:
Method State
mab Authc Success

I have a question, I read that if the switch handles 802.1x but the PC does not, the port will be unauthorized. Why is it necessary to uncheck the checkbox in the PC? I thought that it was needed in order to enable 802.1x protocol. How do they talk each other? are they using the TLS packets from the PC?