Hi Nicolas,

Thanks, will start debugging. Can you give me a pointer where I can find the output?

Thanks,

Chris

Hi,

Actually being able to see the debug information already clarifies a lot. Apparently a lot of debugging was already running on the switch, so at first I got loads and loads of debugging info. Since nobody I contacted was checking it I turned all debugging off and then started with this request.

Attached two files

radius_olsw207_port_gi29.txt is the (debug) output from the FreeRadius server on the authentication request

olsw207.log is the telnet information with debug output from the Catalyst 3560 switch

Perhaps my continuous testing with the same laptop is causing (part of) the problems:

2322835: Dec 22 15:23:47.397: AUTH-FEAT-MDA-EVENT (Gi0/29) Black Listed Mac Address f0de.f10e.97d6 on vlan 1

(how can I remove the Black-Listing?)

Also I noticed that an access-reject message on another port was processed right away by the switch, whereas here the switch initially ignores the access-reject message. So maybe the brand/type/configuration of the laptop is causing (part of) the problems as well. After about 15 minutes my telnet connection was terminated and the switch had not rejected yet but that is probably because of the blacklisting. Will try again tomorrow once I get the blacklisting gone.

Hopefully you can still make something out of it.

Thanks for the help!

Hi,

When a new mac is seen on the port, the address is put on the black list in the data and voice domain until
authentication is successful.

One thing that is missing in your port config is the "switchport access vlan x" command.

Also, please note that when using auth-fail vlan, the switch will not diferentiate a phone/pc if they both fail authnetication.

Meaning, that if the phone fails auth, it is placed in the data-domain auth-fail vlan, as well as if a PC fails auth.

And in adition, remmeber that MDA only allows 1 mac address per domain (DATA and VOICE), which means that if the phone fails authentication and is placed on the auth-fail vlan, the PC will not be able to go to the DATA domain.

I could explain in the restricted vlan feature but it is better to pint you to the doc where it is detailed:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1177420.

HTH,

Tiago

Hi Tiago,

Thanks for your explanation.

I deliberately not added the switchport access vlan while printers go to VLAN 1 (default) and PCs/notebooks go to VLAN 4. The radius server notifies the port on authentication success which VLAN should be chosen, based on the mac-address.

Currently my port is the only one configured for MDA, all other ports use Cisco Discovery Protocoll Bypass. I am trying to see if MDA works because in this document it is sugggested MDA is more secure. It is up to my colleague who does telephones to keep the mac-address list of the phones up to date

I did not know yet a rejected phone would be placed in the restricted vlan as well and would block a PC, though actually it is logical. Will let my colleagues know so they know what to expect.

All and all a nice amount of information, unfortunately my 'security clearance' does not allow me to read the document you linked, pity as I think it could be good reading for what I am trying to achieve.

But still, Radius pretty much right away sends a reject message, which is received by the switch and then 'tossed aside'? Can anyone give me any idea why the switch does not place this client in the restricted VLAN?

Hi,

the thing is that you MUST configure the "switchport access vlan x" comand on a dot1x enabled port.

Regarding the document, here is a link you can access:

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1177420..

If after entering the  "switchport access vlan x" comand, it still does not work as you expect, please recollect the debugs:

deb dot1x all

deb epm all

deb auth all

deb auth feature all

Since you plug the cable to the switch untill the Access-reject is received and processed.

HTH,
Tiago

I added switchport access vlan 4 (our data VLAN) to the port.

With the old debugging still on I turned on the PC and watched. This time the access rejects where immediately processed by the switch, so I was hopeful. It tried 3 authorization requests then I noticed some message about having no more authentication methods. But alas, the port did not get assigned to the restricted VLAN.

So I ended the old debugging and gave the commands requested (that gives a lot of debugging information, although not very readable for me), disabled and enabled the port (just to be sure) and turned on the PC again.

First reject was not processed, another authorization request was send about 5 minutes later, also reject not processed. Then, another 5 minutes or so later it really started. About 12 times, once every minute there was a MAB request, the rejects properly processed. But still the port did not get assigned to the restricted VLAN. And then it became quiet again.

I do not know when you consider the request properly handled (I would say Authorized or attached to the restricted VLAN), so there is about half an hour of debugging info in the attached file.

About halfway I also asked the running-config of the port as I wanted to make sure I had not made any mistakes, but that looked normal.

Holiday seasons start for me now, I will be back Monday morning.

Thanks for all the help so far!

Hi,

It looks like you have a PC behind a phone on that port correct?

I focused on the interface Gi0/29 which is the one you refer to on this post.

What device would you like to be MAB authenticated?

I see that the phone is succeeding MBA, however the RADIUS server is not returning the authorization attribute: "device-traffic-class=voice".

Please take a look into:

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1410028.

You will find:

"To  authorize a voice device, the AAA server must  be configured to send a  Cisco Attribute-Value (AV) pair attribute with a  value of device-traffic-class=voice. Without this value, the switch treats the voice device as a data device."

Also:

"The  guest VLAN and restricted VLAN features only  apply to the data devices  on an MDA-enabled port. The switch treats a  voice device that fails  authorization as a data device. "

And keep in  mind that in MDA only one device is allowed per domain, so if the phone  does not go to the VOICE domain, it will stay on the DATA domain and no  other device will be allowed to the DATA domain.

I would make sure that the RADIUS server is returning the Cisco Attribute-Value (AV) pair attribute with a  value of device-traffic-class=voice. (this is why I asked the debug radius).

And you can set up the switch to move the device to the restricted vlan (auth-fail vlan) imediately after 1 failed authentication:

"authentication event fail retry 1"

HTH,
Tiago

Hi Tiago,

Sorry for taking so much of your time. I am a bit stuborn and would like to understand why it is not working. Let me please emphasise that I did do a lot of reading in Cisco and Radius documentation and that by now I also understand most of what I have read so far. I am already trying to get everything working for about four months now, I am a n00b with Cisco configuration but not a complete n00b. I may do things differently,  but I can assure you most of what I did is currently working correctly (after plenty of trial and error). I have made mistakes and I will make mistakes, that is why I am constantly testing. That is why I ask here for others to look at what I have done, to find the mistakes I made which I have not found myself.

I started testing this when I discovered that all PCs that where not authorized, where not added to the restricted VLAN, on neither of our switches and with every possible configuration. All other ports are in single mode, many PCs connect through a Cisco IP Phone but not all. Also notebooks directly connected to the port on a switch are not placed in restricted VLAN mode after failed authorization.

Yes, you are absolutely correct, I am connecting the PC to the network through a Cisco 7961 IP phone.

I configured the Radius server to actually return a cisco av-pair device-traffic-class=voice as was described in the link I provided earlier, and I thought it was working correctly as my phone is connected to the voice vlan properly. When I had that return code incorrect before on the radius server, my ip phone just tried to get an ip-address or configuration and failed after a while.It could be the Cisco Discovery Protocoll Bypass which is still configured on the port as well, though that did not help before when I had the device-traffic-class configured wrong on the Radius server.

...

OK, I just disabled Cisco Discovery Protocoll Bypass and my phone is still connecting properly to the voice VLAN. No idea where/how I can find the messages returned by the radius server (debug radius only shows the package send to the Radius server, not what is received) and how they are interpreted by the Cisco switch but this convinces me the cisco av-pair is received properly by the switch or my phone simply would not have worked.

I would like to have first my phone and then my (test) notebook mab authorized. Phone is working properly for a while already. I can see in the Radius logs that it returns the device-traffic-class=voice Cisco av pair and since my phone is working again since I got that right I assume it works. And after just checking the switch vlan assignment I can see the port is only active on the voice vlan.

OK, some more testing to find out what is right and what is wrong.

I added the mac address of the notebook to an authorized list of the Radius server and the notebook now connects properly to the network.

current configuration:

OLSW207#show running-config int gi0/29
Building configuration...

Current configuration : 564 bytes
!
interface GigabitEthernet0/29
  description 235A
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 2
  load-interval 30
  srr-queue bandwidth share 10 10 60 20
  queue-set 2
  priority-queue out
  authentication event fail action authorize vlan 7
  authentication event server dead action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication port-control auto
  mab
  auto qos voip cisco-phone
  spanning-tree portfast
  service-policy input AutoQoS-Police-CiscoPhone
end

OLSW207#show authentication interface gi0/29

Client list:
Interface  MAC Address     Method   Domain   Status         Session ID
  Gi0/29     0026.9943.9e20  mab      VOICE    Authz Success  0A0101CF00000A1415
A27A39
  Gi0/29     f0de.f10e.97d6  mab      DATA     Authz Success  0A0101CF00000A1715
CA6E22

Available methods list:
  Handle  Priority  Name
    2        1      mab
Runnable methods list:
  Handle  Priority  Name
    2        1      mab

OLSW207#

Both the phone and the notebook are now authorized on the port and working correctly. So can we please agree that the current configuration on itself is working properly and focus on why the notebook is not added to the restricted VLAN when I take the mac address out of the authorized list again?

Again sorry for taking so much of your time and thank you for your willingness to help.

Hi Tarik,

dot1x pae authenticator would enable dot1x authentication and currently that is not requested, hence I left it out. As far as I found in the documentation, it is not needed anymore for mab and my current configuration suggests so as it is working (mostly). On our switches with older firmware, dot1x pae authenticator is still required (as far as I know).

Thanks for the help,

Chris

After reading through the command reference guide for your hardware and version of IOS I found that the "authentication event fail vlan " is only supported for single host mode, it looks as if you are using multi-domain authentication. Here is what the snip for reference:

For authentication-fail events:

•If  the supplicant fails authentication, the port is moved to a restricted  VLAN, and an EAP success message is sent to the supplicant because it i s  not notified of the actual authentication failure.

–If  the EAP success message is not sent, the supplicant tries to  authenticate every 60 seconds (the default) by sending an EAP-start  message.

–Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.

The restricted VLAN is supported only in single host mode (the default  port mode). When a port is placed in a restricted VLAN, the supplicant's  MAC address is added to the MAC address table. Any other MAC address on  the port is treated as a security violation.

•You  cannot configure an internal VLANs for Layer 3 ports as a restricted  VLAN. You cannot specify the same VLAN as a restricted VLAN and as a  voice VLAN.

Enable re-authentication with restricted VLANs. If re-authentication is  disabled, the ports in the restricted VLANs do not receive  re-authentication requests if it is disabled.

To start the re-authentication process, the restricted VLAN must receive  a link-down event or an Extensible Authentication Protocol (EAP) logoff  event from the port. If a host is connected through a hub:

–The port might not receive a link-down event when the host is disconnected.

–The port might not detect new hosts until the next re-authentication attempt occurs.

When you reconfigure a restricted VLAN as a different type of VLAN,  ports in the restricted VLAN are also moved and stay in their currently  authorized state.

I would try the following to see if this works will with your deployment:

authentication event no-response

Here is some reading regarding this command:

For no-response events:

•If  you enable a guest VLAN on an IEEE 802.1x port, the switch assigns  clients to a guest VLAN when it does not receive a response to its  Extensible Authentication Protocol over LAN (EAPOL) request/identity  frame or when EAPOL packets are not sent by the client.

•The  switch maintains the EAPOL packet history. If another EAPOL packet is  detected on the port during the lifetime of the link, the guest VLAN  feature is disabled. If the port is already in the guest VLAN state, the  port returns to the unauthorized state, and authentication restarts.  The EAPOL history is cleared.

•If  the switch port is moved to the guest VLAN (multi-host mode), multiple  non-IEEE 802.1x-capable clients are allowed access. If an IEEE  802.1x-capable client joins the same port on which the guest VLAN is  configured, the port is put in the unauthorized state in the  RADIUS-configured or user-configured access VLAN, and authentication  restarts.

You can configure any active VLAN except a Remote Switched Port Analyzer  (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x  guest VLAN. The guest VLAN feature is supported only on access ports.  It is not supported on internal VLANs (routed ports) or trunk ports.

•When  MAC authentication bypass is enabled on an IEEE 802.1x port, the switch  can authorize clients based on the client MAC address if IEEE 802.1x  authentication times out while waiting for an EAPOL message exchange.  After detecting a client on an IEEE 802.1x port, the switch waits for an  Ethernet packet from the client. The switch sends the authentication  server a RADIUS-access/request frame with a username and password based  on the MAC address.

–If authorization succeeds, the switch grants the client access to the network.

–If authorization fails, the switch assigns the port to the guest VLAN if one is specified.

For more information, see the "Using IEEE 802.1x Authentication with MAC  Authentication Bypass" section in the "Configuring IEEE 802.1x  Port-Based Authentication" chapter of the software configuration guide.

Take a look at the command reference and try testing your port with these changes and let us know how everything turns out, this guide addresses both scenarios that I just mentioned:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/command/reference/cli1.html#wp11887556

Hmmmm, I think I read somewhere that it should actually work.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1177420

Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.

I do not know what Layer a port is on. But this could be the problem indeed Will check if I can find where I read that it should work.