dot1x with authentication open

drienties · ‎02-09-2010

I am building a test setup with open authentication and i am trying to get the theory right.

First the scenario for which we are going to use dot1x with open authentication:

We want to deploy dot1x throughout our network, which includes a number of users which logon to a domain.

With open authentication I want to allow AD/DNS/DHCP before dot1x authentication and then use dot1x (PEAP ms-chapv2) to authenticate the user before allowing normal traffic to proceed.

Correct me if i'm wrong but from what i gathered from several documents it should work like the following:

1) The switchport to which the user connects is setup for "authentication open" and has a PRE-AUTH ACL inbound configured on it which contains all the holes it needs for AD/DNS/DHCP

2) The User then authenticates through his logon

3) The user identity is used to authenticate the switchport as well and a ACL is downloaded from our MS-IAS which allows for normall traffic

Is the above theory correct or am i missing a crucial bit.

The problem i currently have is that the ACL is never downloaded from our MS-IAS, we are running 4506's with 12.2(50)SG2

The policy i tested returns the folowing attributes:

Cisco-AV-Pair: ip:inacl#1=permit ip any any

port config used is:

switchport access vlan xxx
switchport mode access
authentication open
dot1x pae authenticator
authentication port-control auto
ip access-group <acl-name> in

global config contains:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server vsa send authentication

and of course i have defined my radius servers in my config

Anyone have any ideas or pointers where to look?

drienties · ‎02-22-2010

Found a problem in my setup, Downloadable ACL's are only supported by Cisco ACS.

But as of IOS 12.2(52)SG filter-id and per-user acl's are available, which basicly do the exact same thing but support 3rd party aaa servers like MS-IAS

rishi.sumbal · ‎06-15-2010

Hi,

Do you know if you always need an ACL, even if you don't want to filter anything with the open authentication?

I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :

C3560-NAC-043#sh authentication sessions

Interface MAC Address Method Domain Status Session ID

Fa0/1 001a.e80c.1e70 mab VOICE Authz Success AC10FA2B0000005010BD2E9C

Fa0/1 001e.ec16.0ea0 N/A DATA Authz Failed AC10FA2B0000005110BD35D2

Global config :

aaa new-model
!
!
aaa group server radius HBM_NAC_Radius
server 172.16.250.123 auth-port 1812 acct-port 1813
!
aaa group server radius HBM_Login_Radius
server 172.16.249.239 auth-port 1812 acct-port 1813
server 172.18.20.215 auth-port 1812 acct-port 1813
!
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius

port config :

interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker

Thanks and regards

Rishi