02-09-2010 11:40 PM - edited 03-10-2019 04:56 PM
I am building a test setup with open authentication and i am trying to get the theory right.
First the scenario for which we are going to use dot1x with open authentication:
We want to deploy dot1x throughout our network, which includes a number of users which logon to a domain.
With open authentication I want to allow AD/DNS/DHCP before dot1x authentication and then use dot1x (PEAP ms-chapv2) to authenticate the user before allowing normal traffic to proceed.
Correct me if i'm wrong but from what i gathered from several documents it should work like the following:
1) The switchport to which the user connects is setup for "authentication open" and has a PRE-AUTH ACL inbound configured on it which contains all the holes it needs for AD/DNS/DHCP
2) The User then authenticates through his logon
3) The user identity is used to authenticate the switchport as well and a ACL is downloaded from our MS-IAS which allows for normall traffic
Is the above theory correct or am i missing a crucial bit.
The problem i currently have is that the ACL is never downloaded from our MS-IAS, we are running 4506's with 12.2(50)SG2
The policy i tested returns the folowing attributes:
Cisco-AV-Pair: ip:inacl#1=permit ip any any
port config used is:
switchport access vlan xxx
switchport mode access
authentication open
dot1x pae authenticator
authentication port-control auto
ip access-group <acl-name> in
global config contains:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server vsa send authentication
and of course i have defined my radius servers in my config
Anyone have any ideas or pointers where to look?
02-22-2010 03:37 AM
Found a problem in my setup, Downloadable ACL's are only supported by Cisco ACS.
But as of IOS 12.2(52)SG filter-id and per-user acl's are available, which basicly do the exact same thing but support 3rd party aaa servers like MS-IAS
06-15-2010 05:26 AM
Hi,
Do you know if you always need an ACL, even if you don't want to filter anything with the open authentication?
I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :
C3560-NAC-043#sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa0/1 001a.e80c.1e70 mab VOICE Authz Success AC10FA2B0000005010BD2E9C
Fa0/1 001e.ec16.0ea0 N/A DATA Authz Failed AC10FA2B0000005110BD35D2
Global config :
aaa new-model
!
!
aaa group server radius HBM_NAC_Radius
server 172.16.250.123 auth-port 1812 acct-port 1813
!
aaa group server radius HBM_Login_Radius
server 172.16.249.239 auth-port 1812 acct-port 1813
server 172.18.20.215 auth-port 1812 acct-port 1813
!
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius
port config :
interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker
Thanks and regards
Rishi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: