Solved: Flexconnect AP with MAB validation

RoadRunner4k · ‎09-19-2023

Hi

We are working on a new deployment where we use access points in Flexconnect mode and not locale as do on the rest of our branches.

Normally we use MAB validation of each AP, and we wish to continue to use MAB validation of our access points, but im coming in doubt if this is possible to do in Flexconnect mode?

Access Points gets IPs in Vlan 100 and our clients are switched in vlan 200. How would this configuration be to support this?

Of cause we have to use access-session host-mode multi-hosts as we got more MAC adresses on the port.

interface XX
description Flexconnect AP
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200
switchport mode trunk
spanning-tree portfast trunk
mab
dot1x timeout tx-period 2
dot1x max-reauth-req 3
source template FLEX_DefaultWiredDot1xClosedAuth

template FLEX_WiredDot1xClosedAuth
dot1x pae authenticator
switchport trunk native vlan 100
switchport mode trunk
mab
access-session host-mode multi-domain
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Arne Bier · ‎09-21-2023

@RoadRunner4k - my concern is that unless you also add the command

access-session host-mode multi-host

to your template, you will be left in multi-auth mode, which means that every MAC learned on the interface (via the wireless SSID) will be subject to NAC on the switch interface. That is not tenable. You want only the WAP to authorize the interface, and then all MAC addresses that come afterwards (client endpoints) will not be subjected to NAC on the switch.

You can perform client endpoint MAB in ISE, if the SSID is enabled with 802.1X or MAC Filtering. Then the WAP/WLC sends the RADIUS request to ISE.

View solution in original post

ahollifield · ‎09-20-2023

Use multi-host.

That being said most customers in my experience don't perform 802.1X/MAB authentication on trunk ports.

andrewswanson · ‎09-20-2023

I have a similar policy in place for some local APs that are used for MDNS snooping.
The template below is configured as "switchport mode access" - when ISE authenticates the MDNS AP, it authorizes with RADIUS attribute "cisco-av-pair = device-traffic-class=switch" which converts the interface into a trunk after the AP has been authorized.

template WIRELESS-MDNS
spanning-tree portfast trunk
spanning-tree bpduguard enable
switchport access vlan <AP_VLAN>
switchport trunk native <AP_VLAN>
switchport trunk allowed <AP_VLAN>,<MDNS_VLAN>
switchport mode access
source template MAB_INTERFACE_TEMPLATE

hth
Andy

Arne Bier · ‎09-20-2023

@andrewswanson - what does the command "show derived interface xyz" look like after the WAP has been authorized? I thought I tried this in the past with multi-host, and it was non-deterministic. The trick is to ensure that the port is authorized while there are no wireless clients associated to it, otherwise you will get their MAC addresses and that will fail authorization.

I agree with @ahollifield - NAC on trunk ports is generally to be avoided. But keen to hear what your experience is.

One big caveat with multi-host that caught me out recently is devices that use NIC Teaming. E.g. a VMWare ESXi host with two interfaces, but in NIC Teaming mode. Both links active, but MAC address of the vmKernel only on one. Multi-host works great when you boot up the ESXi, the vmKernel frames authorize the port, and then the VMs piggy-back on that. But if you were to reload the switch that the active interface is on, then NIC Teaming on the Host detects this, and switches to link #2. Guess what happens next? Can you guarantee that the first Ethernet frame will be from the vmKernel MAC? No. Oooops. Chances are that the VMs will send their frames first, and boom! Interface is not authorized (ISE rejected it). The answer is then to add all the MACs of all the VMs and use multi-auth instead. But what a pain.

andrewswanson · ‎09-20-2023

Hi Arne

See below for output from switch - these APs are in local mode - usually only require to be connected to an access port. Some are used for MDNS snooping so we need to have the interface configured as a trunk:

output from 3650 stack running 16.09.08

show run

interface GigabitEthernet4/0/6
ipv6 traffic-filter DENYV6 in
snmp trap mac-notification change added
snmp trap mac-notification change removed
source template WIRELESS-MDNS
ip verify source

Where:

template WIRELESS-MDNS
spanning-tree portfast trunk
spanning-tree bpduguard enable
switchport access vlan <AP_VLAN>
switchport trunk native vlan <AP_VLAN>
switchport trunk allowed vlan <AP_VLAN>,<MDNS_VLAN>
switchport mode access
source template MAB_POLICY

show derived after successful authorization:

interface GigabitEthernet4/0/6
switchport access vlan <AP_VLAN>
switchport trunk native vlan <AP_VLAN>
switchport trunk allowed vlan <AP_VLAN>,<MDNS_VLAN>
switchport mode trunk
ipv6 traffic-filter DENYV6 in
access-session control-direction in
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast trunk
spanning-tree bpduguard enable
service-policy type control subscriber MAB_POLICY
ip verify source

Arne Bier · ‎09-20-2023

Right'o. So you're still doing multi-auth (which is the hidden/default access-session host-mode) - I assume the clients connect to a PSK SSID (I don't see any 802.1X on the switch)? But still, your RADIUS server has to perform MAB for all the clients - do you just authorize them, or how do you manage a potentially large (and unknown) number of wireless clients in the RADIUS server?

andrewswanson · ‎09-20-2023

No, all wireless traffic is centrally switched to WLC which authenticates wireless clients with ISE.

The only authentication the switch does is to authenticate/authorize the AP.

Thats very different from what the original post was about - I just thought this may be a way of doing something similar with Flexconnect by authenticating/authorizing the AP on an access port and turning it into a trunk.

RoadRunner4k · ‎09-20-2023

My idea is to have a normal access port with MAB validation on from start (and then on ISE have a endpoint database with APs in Flex mode) once ISE sees these access points it should return this cisco-av-pair = interface-template-name=AP-FLEX

template AP-FLEX
switchport trunk native vlan (AP VLAN)
switchport trunk allowed vlan (AP VLAN) + (DATA VLAN)
switchport mode trunk
spanning-tree portfast trunk

I guess that should work ?

Arne Bier · ‎09-21-2023

@RoadRunner4k - my concern is that unless you also add the command

access-session host-mode multi-host

to your template, you will be left in multi-auth mode, which means that every MAC learned on the interface (via the wireless SSID) will be subject to NAC on the switch interface. That is not tenable. You want only the WAP to authorize the interface, and then all MAC addresses that come afterwards (client endpoints) will not be subjected to NAC on the switch.

You can perform client endpoint MAB in ISE, if the SSID is enabled with 802.1X or MAC Filtering. Then the WAP/WLC sends the RADIUS request to ISE.

RoadRunner4k · ‎09-26-2023

Thank you so much. I will try this in our lab before adding it to production.