Solved: Wired secured access- PEAP only not working

gurbinder.kabbay · ‎02-19-2020

Hi Experts,

I am testing one use case of PEAP-only, my setup is like below:

VM machine--->trunk port--->Switch---->ISE

Although, i know the port should be access for EAPOL traffic to reach to radius server through switch.

but here on trunk port it taking all the authentication commands, but connectivity is breaking between switch and VM after pushing authentication commands. I am able to successfully test the AD user from switch by command: test aaa group radius <username> <password> new-code. it means if i am sending radius packet from switch with AD username, then its successfully authenticated and getting the policy set (Authorization) as well, its showing in live logs as well on ISE.

So my question is, if the port between switch and VM machine is trunk, will this scenario work or not. or it should be access port only. if its true then please give the reference link (web link), so i can prove it further that it will not work on trunk port.

if there is chance that it will work, then please let me know what i am missing.

Commands on switch port towards VM machine:

interface GigabitEthernet2/0/24
description # Connected to VM# ESXi 250.18
switchport mode trunk
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
end

status on switch:

switch #sh authentication sessions int gi2/0/24
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/24 000c.29da.bda6 dot1x UNKNOWN Unauth C3FBD30A000005775B7DAB1A
Gi2/0/24 0050.565d.d52a dot1x UNKNOWN Unauth C3FBD30A000005785B7DBE52

Thanks

Garry

Greg Gibbs · ‎02-19-2020

Support for 802.1x on Trunk Ports is dependent on the hardware/software platform, so you might have to check the Feature Navigator for your platform. See the following post:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html#GUID-942BC62F-43C5-489A-AD7F-B724C81E0DC0

Even if supported, there are other limitations (dynamic VLAN assignment, etc) when using 802.1x on a Trunk Port, so using an access port is recommended. If using the IBNS 2.0 framework on the switch, I believe it will prevent you from configuring 802.1x on a Trunk Port unless it is for the NEAT use case.

View solution in original post

Mike.Cifelli · ‎02-19-2020

A few things to note and try :)
If you are attempting to dot1x auth more than one VM you should implement: #authentication host-mode Multi-auth —While in this mode, multiple devices are allowed to independently authenticate through the same port. Something else to consider is enabling #authentication mac-move permit --if you allow the VMs to migrate between hosts. Otherwise you will have issues. Add #dot1x pae authenticator to the interface configs. This command enables dot1x on interface.

Note that some people will say enabling dot1x for VMs may not be necessary since the servers they live on may be locked in your data center, and those ports are not user facing ports. However, this definitely IMO comes down to your requirements. Good luck & HTH!

gurbinder.kabbay · ‎02-19-2020

Thanks Mike for your suggestion:

configuring multihost, multi-domain is the another story like how many ends points and what type of (voice and data) endpoints we want to use. Moreover, configuring #dot1x pae authenticator is the case of NEAT topology, where my switch will act as a supplicant and will support video endpoints etc.

my question is simple: can we use dot1x on trunk port or not. because there is limitation for me to configure the access port for VM side, in this case Vm will not work and i have to make it trunk only.

Thanks

Garry

Greg Gibbs · ‎02-19-2020

Support for 802.1x on Trunk Ports is dependent on the hardware/software platform, so you might have to check the Feature Navigator for your platform. See the following post:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html#GUID-942BC62F-43C5-489A-AD7F-B724C81E0DC0

Even if supported, there are other limitations (dynamic VLAN assignment, etc) when using 802.1x on a Trunk Port, so using an access port is recommended. If using the IBNS 2.0 framework on the switch, I believe it will prevent you from configuring 802.1x on a Trunk Port unless it is for the NEAT use case.

gurbinder.kabbay · ‎02-19-2020

Thanks Greg,

My hardware is C9300-24T, so it means dot1x will not work on trunk port for me as per link you have shared.

The IEEE 802.1X Support for Trunk Ports feature is used to configure Ethernet interfaces as trunk ports.

In Cisco IOS XE Release 3.2SE, this feature was supported on the following platforms:
Catalyst 3850 Series Switches
Cisco 5760 Wireless LAN Controller
In Cisco IOS XE Release 3.3SE, this feature was supported on the following platforms:
Catalyst 3650 Series Switches
Cisco Catalyst 3850 Series Switches.

Thanks

Garry

hslai · ‎02-21-2020

Greg is correct the feature "802.1X on Trunk Ports" is to support NEAT and flex-connect APs. Cisco Live session BRKCRS-2600 has some info. If you have further questions on this feature, please post it to the Switching community.

The same is applicable to catalyst 9K switches.