06-15-2010 05:30 AM - edited 03-10-2019 05:11 PM
Hi,
Does anybody know if I still need an ACL, even if I don't want to filter anything with the open authentication?
I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :
IOS : 12.2(53)SE2
C3560-NAC-043#sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa0/1 001a.e80c.1e70 mab VOICE Authz Success AC10FA2B0000005010BD2E9C
Fa0/1 001e.ec16.0ea0 N/A DATA Authz Failed AC10FA2B0000005110BD35D2
Global config :
aaa new-model
!
!
aaa group server radius HBM_NAC_Radius
server 172.16.250.123 auth-port 1812 acct-port 1813
!
aaa group server radius HBM_Login_Radius
server 172.16.249.239 auth-port 1812 acct-port 1813
server 172.18.20.215 auth-port 1812 acct-port 1813
!
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius
port config :
interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker
Thanks and regards
Rishi
06-15-2010 06:01 AM
Hi
If you want that user failed the dot1x authentication then he should access limited services as you define then you can configure
dot1x auth-fail vlan GUEST under fast ether interface & to limit the services you can configure VLAN ACL for Guest VLAN or else leave open in dont't
assign any ip address for guest VLAN.
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
Regards
Chetan Kumar
02-21-2011 12:41 AM
We have the same problem, multi-auth + open authentication is permitting unauthenticated users to access the network, does anybody have the solution?
Do I need any downloadable ACLs when using open authentication?
Guest VLAN doesnt work with multi-auth(
02-21-2011 03:44 AM
Hello Rishi,
The open auth allows to let traffic flow through the port even if user is not authenticated.
to limit this, you have 2 possible scenarios:
1)
-add a 'pre auth' acl on the switchport (just create an ACL and apply it on the port using ip access-group xxx in)
-use dynamic ACLs on your ACS (or other radius) so that these ACL will override the pre auth one upon successful authentication
2)
-configure a default vlan (switchport access vlan) that is filtered on the gateway
-use dynamic vlan so that users will get an unrestricted VLAN upon successful authentication
Hope this helps.
03-07-2011 05:31 AM
Hello Bastien,
Thanks, however I had opened a case for that and Cisco told me that the main purpose of open auth is to smoothly migrate to dot1x and monitor first the results. Your solutions help then limiting the access in a second phase of the migration I would say. The last phase would be to remove open auth.
Regards
Rishi
03-20-2012 12:56 PM
Does open authentication work with Dynamically Assigned VLANs?
If it does this could solve the PXE vs 802.1x battle.
I've tried open authentication with a filtered default vlan with no luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide