Ask the Expert: 802.1X Configuring and Troubleshooting with Javier Henderson

ciscomoderator · ‎03-28-2015

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to configure and troubleshoot 802.1X.

Ask questions from Monday, March 30th, 2015 to Friday, April 10th, 2015

Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

kevin.williams · ‎04-02-2015

we have win7 native 802.1x supplicants doing smart card login and network authentication (SSO).

since we can't use machine certificates with user smartcards, we are using MAB to authenticate machines without users logged in

the issue is

when the user logs in with a smart card, windows displays a warning that the network is not connected, and continues the login process, when the user is logged into windows, the network connection is working

on ISE MAB is working for the PC when the user is not logged in, and when the user is logged in, sometimes peap (eap-tls) shows authenticated, and sometimes not, in which case it falls back to MAB. The authentication logs show Event "5440 Endpoint abandoned EAP session and started new"

question - why is dot1x not working each time the user logs in, and what is causing the warning message the network is not connected ?

Javier Henderson · ‎04-06-2015

Kevin,

Are you able to post the switch port configuration, plus the console output after enabling "debug dot1x all"?

Keep in mind that the debug output will contain data you might consider sensitive, troubleshooting this might be best done via a TAC case. We can post a summary here after the problem has been solved.

Javier Henderson

Cisco Systems

Diogo Buhler · ‎04-08-2015

Hi Javier,

I have a client that need some security features in their infrastructure, specially regarding user access to devices and to the network.

The key things are:

The client wants to restrict some vpn users to be able to connect to all servers, and others to just be alowed to access servers "x" and "y" and others "y" and "z" etc (this by vpn).

But internally, some users should be able to access the devices "x" e "Y" but not "z".

Other thing is, the users that are allowed to access via VPN, must use specific computers (mac).

One other important thing, is the accounting, that is important, that every changes to devices, and each connection to a device is logged, and can be seen by the network administrator.

I was thinking in use ACS 5.6 to do this, is it enought, or I need something else? For the VPN we will use an ASA with site-to-site vpn, and client-site. Because we need to maintain vpn with some branch offices, but limit the access of users in those vpns to access only specific servers.

Looking forward to get some answer, and thanks.

Regards,

Diogo Bühler

Javier Henderson · ‎04-10-2015

Hi Diogo,

Your question is not exactly related to 802.1x, but rather more general AAA topics.

That said:

1) Command account is a feature of ACS, and requires the use of TACACS+

2) The kind of granular control you mention above can be achieved with ACS 5, through the use of authorization policies. One exception is your requirement to limit certain function to users of Mac computers, that would require posture assessment, which is a feature of the ISE product.

Javier Henderson

Cisco Systems