04-08-2021 03:51 PM
hello,
we do have an issue when setting up machines with NAC enabled. the issue is that MAB is not used, or sometimes to late. we figured out a main issue here and i´m wondering if it could be solved or at least the situation improved.
the normal siutation would be: the port gets up, the switch sends out an EAP request identity. if the client does not support 802.1x it does not answer...and after some retries (depending on the config) MAB is used. and then everything fine
unfortunately in our scenario the setup procedure of the client includes to enable 802.1x although no certificate is present on the PC.so this happens:Switch sends Request identity - the client answers with EAPOL Start. the switch sends another Request identity...but the client now is not answering anymore. i assume because the PC does not have a certificate installed. this leads to en EAP failure and MAB is NOT used. obviously after 10 minute the client starts again the communicaiton with an EAPOLStart. it fails again in the same way but now MAB is used and therefore DHCP works afterwards.
this is the config
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 36000
authentication timer restart 3600
authentication violation restrict
the point is now if the situation could be improved. below you can find a trace. after 13:58 it immediately works.
i came across this command:
authentication event fail retry 1 action next-method (default value is 2)
could this command help? can anybody exactly explain what it is doing in this setup becaue i coudl just find a reference to the auth-fail vlan...but we don´t use the auth-fail vlan.
it does not fit 100% because default value is 2 and in the trace we just see one retry. therefore i am wondering if anybody has a view on that.
br + thx
17 13:48:36 05.03.2021 12.4450362 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
20 13:48:36 05.03.2021 12.4763534 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
21 13:48:36 05.03.2021 12.4763597 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
22 13:48:36 05.03.2021 12.4793444 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
31 13:48:37 05.03.2021 13.4982831 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
43 13:48:38 05.03.2021 14.5236074 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Failure {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
1292 13:58:36 05.03.2021 612.5270118 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
1293 13:58:36 05.03.2021 612.5270187 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
1294 13:58:36 05.03.2021 612.5283563 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
1307 13:58:37 05.03.2021 613.5504326 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
1313 13:58:38 05.03.2021 614.5751854 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Failure {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2006 14:00:10 05.03.2021 706.5602343 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2007 14:00:10 05.03.2021 706.5602436 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2009 14:00:19 05.03.2021 715.8079018 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2010 14:00:19 05.03.2021 715.8079081 [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] [0180C2 000003 [01-80-C2-00-00-03]] EAPOL EAPOL:EAPOL-Start , Length = 0 {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2024 14:00:20 05.03.2021 716.6948776 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2040 14:00:21 05.03.2021 717.7183757 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Request, Type = Identity {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
2063 14:00:22 05.03.2021 718.7421940 [380E4D 1A8E06 [38-0E-4D-1A-8E-06]] [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]] EAP EAP:Failure {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}
04-08-2021 08:18 PM
Hi
For my information, what switches are you using?
I’m asking because the 802.1x and MAB fallback situation is well improved on IBNS2.0 configuration.
Here a link of all switches compatible: https://www.cisco.com/c/en/us/products/ios-nx-os-software/identity-based-networking-services/index.html
the goal is that concurrent authentication method are sent at the same time for the same session and based on the priority you will configure, it will take the one you put the highest priority onto.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide