With Javier Henderson
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to configure and troubleshoot 802.1X.
802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access, and apply traffic policy, based on user or machine identity. During this event, Javier Henderson will answer all your questions regarding 802.1X configuration and troubleshooting.
Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.
Remember to use the rating system to let Javier know if you have received an adequate response.
Javier might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security, sub-community AAA, Identity and NAC discussion forum shortly after the event. This event lasts through September 26th, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
Solved! Go to Solution.
Suppose that I have Windows and OS X/iOS hosts on a network. Suppose that I will implement ISE in that network and the client does not want to use certificates. I understand that I should use EAP-GTC on my Apple devices and MSCHAPv2 on my Windows devices. Is this right? Will I find any kind of incompatibility with this configuration? Is there any difference if the client uses Open Directory or Active Directory for their Apple devices?
Hello Javier, I was wondering what is the best way to address ISE server's outages and clients using "low-impact" mode with "pre-auth" ACLs? Right now, if the ISE servers become unavailable we can use the "authentication event server dead action authorize vlan" but since the ISE/Radius servers are unavailable, a dACL is not returned, thus the switch doesn't remove the pre-auth ACL.
In the past I have used EEM script but that requires IP-Services for most access layer switches. It would be nice if there was a feature for a "critical-auth-acl" or something similar to the authentication event server dead action authorize vlan"
I hope I understood your need correctly: the feature you're looking for is critical auth VLAN. Please refer to the following document, and let me know if it covers what you want:
I am in the beginning phases of rolling out 802.1x at corporate HQ. Closet switches are 3560X and I'm running ACS5.5.
I have dot1x working with Cisco 7961 phones and ACS internal accounts. PCs are working with MS supplicant doing machine auth against Active directory computer group.
I currently have all printers doing MAB (successfully) but I want to do Dot1x for printers that support it. I'm starting with an HP Laserjet 4700. The printer supposedly supports either PEAP or EAP-TLS. I'd like to do PEAP and authenticate against ACS internal accounts. Is that possible or does that only work with AD authentication? I'd like to avoid EAP-TLS if possible.
Early testing failed with error message saying EAP-MD5 protocol was not enabled for the service (but it is).
You can use ACS internal users for your printers using PEAP or EAP-TLS.
If ACS reports that EAP-MD5 isn't enabled for the service, check the settings for RADIUS and make sure the corresponding box is checked. If you have multiple RADIUS services (by default ACS has just one, called Default Network Access), you can find out which service is being used by looking at the details of the authentication.
I see that EAP-MD5 is checked, but click on the right arrow to the left of EAP-MD5 to expand that, and see what's checked (or unchecked) there, and correct as needed.
The only check box in the EAP-MD5 dropdown is "Detect EAP-MD5 as Host Lookup" which is not checked. I will check that box and test again during my maintenance window tonight.
Sounds good, if it still doesn't work consider opening a case with us so we can help you during the maintenance window.
We are in the planning stages of finalizing our 802.1X rollout project, in which the last piece of gear to be added are printers, which will be placed in MAB. Our network printers are made up of a few different vendors. We are running Cisco ACS 5.5 and 3750X switches.
We will be moving our printers off our data vlan which is shared by our computers, onto a separate printer vlan. We are exploring whether we can hardcode or dynamically force the printer to move to the the new printer vlan, based on some configurations performed in ACS. We will roll out new switchport configurations with the 802.1X MAB settings and new printer vlan. We want to make sure our printers stay on the printer vlan, and stay connected to our network.
Under the below I created a Printer Profile
Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles
And on the Common Task Page
Under VLAN I configured up the vlan # for the printer vlan. How does this work? In the process of completing the MAB lookup, does this hardcode the printer to the vlan we assigned here after passing MAB and identifying the vlan the printer switchport is configured as? Or does this only work in conjunction with configuring up a downloadable ACL for the printer which can then be identified under Common Task Page, ACLS?
Our Internal Identity Groups are already configured for the printers, and I assigned the new printer profile to it. We have multiple containers for our printers based on the locations they are at, and have also configured up the compound condition element for this to work, just like it did for our phone rollout.
Are there any Cisco best practices for rolling out 802.1X MAB for printers? Most of the information I come across is specific to phones.
The ports used for the printers can be either configured to be on the printer VLAN, or you can assign the VLAN to the ports as the printers authenticate, via RADIUS A/V pairs.
Which method will you prefer?
We've never attempted the RADIUS A/V pairs for printers and curious how effective it will be compared to just configuring up printer vlan # on the ports the printers are attached to.
In the case of printers, and other devices that are static for the long term, configuring the VLAN on the ports would be the quickest way to get the configuration going.
I'm currently in a project doing EAP-TLS authentication and authorization against AD of computer accounts. For this we are using ISE 1.2.1.
I have three questions all concerning 802.1X and computer EAP-TLS authentication.
The first is that whenever I have a windows computer authentication and I choose to use the SAN Name = UPN (that is machine$) in my certificate authentication profile, the AD authorization fails - I'm assuming that it tries to query for machine$ and it doesn't find it. Due to this I'm forced to use the DNS name.
I would like to understand why is this?Should ISE be smart enough to be able to extract the $ out of a machine authenticating?
My second question, is it mandatory to perform computer authentication that the presented RADIUS-Username is in the form host/machine? I have a few MAC OSX computers doing EAP-TLS computer authentication and by default they do not present host/machine.
The third question, do you have or can you point to any best practices/design guide for MAC OSX EAP-TLS authentication and ISE?
Thanks a lot for your time!
I faced the same problem, most likely that the problem is not in a username (host\ , "$" - all of it is ok). If you use certificates for authentication from your corporate CA Server (in my case Microsoft) - check: 1) Certificate profile on ISE, if binary comparison is checked or not. If YES than 2) Is your machine certificates are pushed to AD? You indicate it in certificate template on CA Server.
For certificate binary comparison ISE asks AD for user/machine certificate. If AD do not have it - authentication will be failed.