Solved: Re: Wired MacOS clients on NAC'd ports don't send EAPoL-Start frames?

james.brunner · ‎03-12-2023

Hi all,

We have a global NAC setup, using ISE3.1 and Cisco 9200/9300 switches, with physical ports configured with a priority of dot1x/mab, but with an order of mab/dot1x. This is due to a set of security audit requirements for granular mab ACLs kicking in immediately the port goes lives and before dot1x starts.

This works fine for Windows dot1x configured machines using the built-in supplicant, as a Wireshark capture shows they send an EAPoL-Start packet to 'supplicant-initiate' the EAP process.

However, for MacOS, using the out-of-the-box supplicant, they seem to not send EAPoL-Start at all, so the port remains in mab. A Wireshark capture confirms they do nothing. If we change the port order to dot1x/mab then the switch initiates the EAP process and it works fine. But, as mentioned, we need mab/dot1x.

Our desktop team use JamF to push the profiles to Mac devices but there's no option in the profiles to force the use of an EAPoL-Start... Our ethernet profile is already set for "AutoJoin" but that's not it.

I've tested with a Dell D6000 USB-C Dock (which is our office hot-desk configuration) as well as a cheap Anker USB-C Ethernet dongle.

Has anyone else come across this? Is there a hidden MacOS configuration setting to change this operation? (Tried googling but no luck).

I wish there was a way to tell the switch to authenticate with mab but, rather than stopping, to carry on sending EAP-Request/Identity packets on the off-chance the connected device suddenly supports dot1x.

Thanks!

JB.

PS. When we originally deployed this 5+ years ago, we were running High Sierra on older hardware with inbuilt Ethernet and it seemed to work fine, dropping right into dot1x on start. Now we're running Monterey and Ventura on new MacBook Pro's, no dice - even a fresh install of Catalina has no joy - so maybe it just stopped working when we changed hardware platform!

Arne Bier · ‎03-12-2023

Hi @james.brunner - have you tried running IBNS 2.0, which allows MAB and 802.1X to operate concurrently? No need to set either one of them to start first - the switch will process whatever the endpoint throws at it.

It used to be documented nicely in the Wired Prescriptive Guide but I can't seem to find it there - but it's a valid option and works quite well if needed.

example below to show that dot1x and mab are accepted - and the priority simply tells the state machine to give dot1x a higher priority to "trump" any mab attempts - or if the endpoint is mab authenticated, then the supplicant can send an EAPOL frame later and this would be considered higher priority.

policy-map type control subscriber PORT-AUTH-POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20

Perhaps this parallel method has fallen out of favour because you might see 50% failed auth attempts in your Live Logs - it's understandable, because your 802.1X endpoints won't pass the MAB, and vice-versa. But the endpoints will be auth'd regardless.

View solution in original post

Arne Bier · ‎03-12-2023

Hi @james.brunner - have you tried running IBNS 2.0, which allows MAB and 802.1X to operate concurrently? No need to set either one of them to start first - the switch will process whatever the endpoint throws at it.

It used to be documented nicely in the Wired Prescriptive Guide but I can't seem to find it there - but it's a valid option and works quite well if needed.

example below to show that dot1x and mab are accepted - and the priority simply tells the state machine to give dot1x a higher priority to "trump" any mab attempts - or if the endpoint is mab authenticated, then the supplicant can send an EAPOL frame later and this would be considered higher priority.

policy-map type control subscriber PORT-AUTH-POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20

Perhaps this parallel method has fallen out of favour because you might see 50% failed auth attempts in your Live Logs - it's understandable, because your 802.1X endpoints won't pass the MAB, and vice-versa. But the endpoints will be auth'd regardless.

james.brunner · ‎03-13-2023

Thanks Arne! That's exactly what I was after - can believe that this isn't advertised more in the ISE/NAC documentation. I'm going to head over to the lab and test.

Thanks again! JB.