Re: 802.1x Machine Authentication

phil1024 · ‎03-17-2019

Hi,

I hope someone can help with this issue,

I have set up 802.1x to use machine authentication and each time I try to get this to work, it uses the mac address of the device as the host name. Obviously this is not in AD as the computer name is domain joined and not the mac address. How do I get around this so that the MAC Address is used.

The cisco device is a 2960G

The NPS server is Server 2016

The configuration is as follows:

aaa new-model
!
!
aaa group server radius dot1x-auth
server name dot1x-auth1
!
aaa authentication banner ^CC
-----------------------------------------------------------------------
Warning, You have accessed a secure device
Unauthorised access to or misuse of this device is prohibited and constitutes
an offence under the ^C
aaa authentication fail-message ^CCCCC
********************************************************************************
The attempted authentication failed, please try again. If this error persists,
please contact the administrator of this system.
Disconnect NOW if you have not been expressly authorised to use this system.
By logging onto this system, you accept that your activity may be subject to
monitoring for compliance purposes and may be recorded.
********************************************************************************
^C
aaa authentication login default local
aaa authentication dot1x default group dot1x-auth
aaa authorization console
aaa authorization config-commands
aaa authorization network default group dot1x-authaaa accounting dot1x default start-stop group dot1x-auth
aaa accounting system default start-stop group dot1x-auth
!
!
!
!
!
aaa server radius dynamic-author
client xxxxxxxxxxx server-key 7 052D561D72195A3B4A164446190F0C6B
!
aaa session-id common
!
dot1x system-auth-control
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
!
vlan internal allocation policy ascending
lldp run
!
!
!
!
!
!
interface GigabitEthernet0/1
description 802.1x Wired Auth
switchport access vlan 16
switchport mode access
switchport voice vlan 26
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout server-timeout 45
dot1x timeout tx-period 10
dot1x timeout supp-timeout 20
dot1x timeout ratelimit-period 10
dot1x max-reauth-req 1
auto qos trust cos
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
!
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any any
!
!
radius server dot1x-auth1
address ipv4 xxxxxxxxxxxx auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key 7 15345B1E577F3F167B20667601041E42
!

The logs on the NPS server show:

<Event><Timestamp data_type="4">03/18/2019 00:31:23.256</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">3c5282363704</User-Name><Service-Type data_type="0">10</Service-Type><Framed-MTU data_type="0">1500</Framed-MTU><Called-Station-Id data_type="1">00-23-AC-70-5A-01</Called-Station-Id><Calling-Station-Id data_type="1">3C-52-82-36-37-04</Calling-Station-Id><NAS-Port-Type data_type="0">15</NAS-Port-Type><NAS-Port data_type="0">50001</NAS-Port><NAS-Port-Id data_type="1">GigabitEthernet0/1</NAS-Port-Id><NAS-IP-Address data_type="3">192.168.0.254</NAS-IP-Address><Client-IP-Address data_type="3">192.168.0.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wired (Ethernet) Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">xxxxx\3c5282363704</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">xxxx\3c5282363704</Fully-Qualifed-User-Name><Authentication-Type data_type="0">1</Authentication-Type><Class data_type="1">311 1 192.168.0.47 03/17/2019 21:16:12 69</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">03/18/2019 00:31:23.256</Timestamp><Computer-Name data_type="1">NPS01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.0.47 03/17/2019 21:16:12 69</Class><Authentication-Type data_type="0">1</Authentication-Type><Fully-Qualifed-User-Name data_type="1">xxxxx\3c5282363704</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">xxxxx\3c5282363704</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">Secure Wired (Ethernet) Connections</Proxy-Policy-Name><Client-IP-Address data_type="3">192.168.0.254</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Switch</Client-Friendly-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">16</Reason-Code></Event>

Any reason why its using the MAC Address as the name rather than the computer name

Cheers

Phil

Mike.Cifelli · ‎03-18-2019

Based on your scenario it seems that you are failing dot1x and falling back to mab. Hence why you see the mac address as the hostname. Does your computer have a certificate to use for authentication? Are you using the Windows native supplicant or anyconnect?

phil1024 · ‎03-18-2019

Hi Mike,

I use the native supplicant on the windows 10 environment. Yeah the device has a cert, as shown:

yet I am still getting the issue. The CA is also the NPS server.

phil1024 · ‎03-18-2019

Hi,

I have removed mab from the switch but I'm still getting the below:

#sh authentication sessions int g0/1
Interface: GigabitEthernet0/1
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A800FE00000011000FDF19
Acct Session ID: 0x00000014
Handle: 0xF6000012

Runnable methods list:
Method State
dot1x Running

NRS-Access-Cab-1-sw1#
Mar 18 17:33:54: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) o n Interface Gi0/1 AuditSessionID C0A800FE00000011000FDF19
Mar 18 17:33:54: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'do t1x' for client (Unknown MAC) on Interface Gi0/1 AuditSessionID C0A800FE00000011 000FDF19
Mar 18 17:33:54: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unkn own MAC) on Interface Gi0/1 AuditSessionID C0A800FE00000011000FDF19
Mar 18 17:33:54: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi0/1 AuditSessionID C0A800FE00000011000FD F19
Mar 18 17:33:54: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client ( Unknown MAC) on Interface Gi0/1 AuditSessionID C0A800FE00000011000FDF19$ace Gi0/1 AuditSessionID C0A800FE00000011000FDF19
Mar 18 17:33:54: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) o ^ n Interface Gi0/1 AuditSessionID C0A800FE00000011000FDF19

Mike.Cifelli · ‎03-18-2019

Is Wired Auto Config service running on the client? If so, please share the configs of your native supplicant.

phil1024 · ‎03-18-2019

Hi,

Yeah the wired autoconfig service is set to automatic and started.

The details from the NIC are as follows:

I hope this is what you mean.

The RADIUS server is set up as follows:

phil1024 · ‎03-18-2019

Hi,

Yeah the wired autoconfig service is set to automatic and started.

The details from the NIC are as follows:

I hope this is what you mean.

Mike.Cifelli · ‎03-18-2019

Thanks for sharing. Please flip the 8021x settings to computer auth only under specify authentication mode and restart the authentication process. Please share outcome. Thanks