Solved: Re: rejected mac addresses are not placed in guest vlan - Page 2

CSchaatsbergen · ‎12-21-2010

Hi all,

I am kind of new to switches and learned a lot by reading the documentation sites. My job is to enable aaa authentication on our Cisco switches, we have a 3750stack, a couple of 3560s and some 3550s. I am testing on one of the 3560s, a WS-C3560G-48PS running 12.2(53)SE1-IP-BASE. Next week I am going to upgrade firmware to 12.2(55) but with this version everything should already be working.

Basically the only thing I am requested to do at this moment is configuring Mac-Auth Bypass. If the Mac address is accepted, Radius returns the VLAN the device should be placed in, mostly VLAN 4.

If the radius server (freeradius v 2.1.10) sends a reject (see below), the port is not switched to the guest vlan, as I would have expected.

19

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

host=10.1.1.207
sourcetype=syslog
source=udp:514
client_mac=(f0de.f119.9870)
client_action=FAIL
LINEPROTO_LINK=AUTHMGR-5

20

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
sourcetype=syslog
source=udp:514
client_mac=(f0de.f119.9870)
client_action=FAIL http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
LINEPROTO_LINK=MAB-5

21

12/21/10
4:23:18.000 PM

Dec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

host=10.1.1.207
sourcetype=syslog
source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_action=START
LINEPROTO_LINK=AUTHMGR-5

Can anyone tell me where I am going wrong?

Thanks,

Chris

Relevant parts of the running-config:
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common

!
dot1x system-auth-control
!
interface GigabitEthernet0/29
description 235A
switchport mode access
switchport voice vlan 2
load-interval 30
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action authorize vlan 7
authentication event server dead action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
ip address 10.1.1.207 255.255.255.0
!
interface Vlan2
ip address 10.1.10.207 255.255.255.0
!
ip default-gateway 10.1.1.201
ip classless
!
ip sla enable reaction-alerts
radius-server host 10.1.1.24 auth-port 1812 acct-port 1813
radius-server timeout 10
radius-server key 7 # Wouldn't you want to know
radius-server vsa send accounting
radius-server vsa send authentication
!
end

VLAN information:

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
1    default                          active    Gi0/6, Gi0/8, Gi0/14, Gi0/15
                                                Gi0/18, Gi0/21, Gi0/29, Gi0/30
                                                Gi0/34, Gi0/36, Gi0/37, Gi0/49
                                                Gi0/50, Gi0/51
2    Voice                            active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                Gi0/42, Gi0/43, Gi0/44, Gi0/45
                                                Gi0/46, Gi0/47, Gi0/49
3    Video                            active
4    DHCP                             active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/7, Gi0/9, Gi0/10
                                                Gi0/11, Gi0/12, Gi0/13, Gi0/16
                                                Gi0/17, Gi0/19, Gi0/20, Gi0/22
                                                Gi0/23, Gi0/24, Gi0/25, Gi0/26
                                                Gi0/27, Gi0/28, Gi0/31, Gi0/32
                                                Gi0/33, Gi0/35, Gi0/38, Gi0/39
                                                Gi0/40, Gi0/41, Gi0/42, Gi0/43
                                                Gi0/44, Gi0/45, Gi0/46, Gi0/48
5    Transfer                         active
6    ESX-Test                         active
7    GUEST-VLAN                       active
999 Native                           active
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet 100001     1500 -      -      -        -    -        0      0
2    enet 100002     1500 -      -      -        -    -        0      0
3    enet 100003     1500 -      -      -        -    -        0      0
4    enet 100004     1500 -      -      -        -    -        0      0
5    enet 100005     1500 -      -      -        -    -        0      0
6    enet 100006     1500 -      -      -        -    -        0      0
7    enet 100007     1500 -      -      -        -    -        0      0
999 enet 100999     1500 -      -      -        -    -        0      0
1002 fddi 101002     1500 -      -      -        -    -        0      0
1003 trcrf 101003     4472 1005   3276   -        -    srb      0      0
1004 fdnet 101004     1500 -      -      -        ieee -        0      0
1005 trbrf 101005     4472 -      -      15       ibm -        0      0

VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

CSchaatsbergen · ‎12-27-2010

Well, I am afraid I just found the answer.....

802.1x Authentication with MAC Authentication Bypass

You can configure the switch to authorize clients based on the client MAC address (see Figure 9-2) by using the MAC authentication bypass feature. For example, you can enable this feature on 802.1x ports connected to devices such as printers.

If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass.

When the MAC authentication bypass feature is enabled on an 802.1x port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured.

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an 802.1x-capable supplicant and uses 802.1x authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.

If the switch already authorized a port by using MAC authentication bypass and detects an 802.1x supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs, the switch uses 802.1x authentication as the preferred re-authentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.

Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication process is the same as that for clients that were authenticated with 802.1x. During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the 802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate re-authorization. For more information about these AV pairs, see RFC 3580, "802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines."

MAC authentication bypass interacts with the features:

•802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication is enabled on the port.

•Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured.

•Restricted VLAN—This feature is not supported when the client connected to an 802.lx port is authenticated with MAC authentication bypass.

•Port security—See the "802.1x Authentication with Port Security" section.

•Voice VLAN—See the "802.1x Authentication with Voice VLAN Ports" section.

•VLAN Membership Policy Server (VMPS)—802.1x and VMPS are mutually exclusive.

•Private VLAN—You can assign a client to a private VLAN.

•Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception list.

For more configuration information, see the "Authentication Manager" section.

So I guess I will need to work with the Guest VLAN after all......

Sorry all, no idea why I missed that line before

CSchaatsbergen · ‎12-27-2010

Ah no, Nicolas already explained that Guest VLAN is no option here either.

/me ponders: do I have to work with dynamic VLAN assignment now? Assign a port to the restriced VLAN through the Radius server? Such a pity.