cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
5
Helpful
2
Replies
Explorer

New ACS 5.3 deployment - question around MAB

Hello,

We are in the process if deploying ACS for several scenarios.  It will be taking over from Microsoft's built in NPS for wireless authentication as well as providing authentication for VPN users and ultimately wired 802.1x services as well.

With respect to the wired access - I've attended a number of sessions at Cisco Live over the past couple of years regarding 802.1x deployment and the initial "monitor mode" to prevent impact to users.  I'm currently configuring a very basic set of rules for the wired deployment and testing.  I've run into some issue with client's connecting behind VoIP phones.

I have a fairly basic set of Service Selection Rules matching on the NAS-Port-Type.  One for Ethernet and one for IEEE-802.11.  From there I have two Access Services configured.  The Wireless policy is working and does not appear to have any issues.  It is using Active Directory and authorizing against AD group memberships.  The Wired policy has two rules, the first matching Auth-method for Lookup and uses the Internal Hosts, the second for MSCHAPv2 which uses Active Directory.

The idea being when mab-auth fails for an 801.x capable client behind a Cisco phone, the next rule in place then authenticates against AD.  I have set the "continue" action for a failed host lookup but it doesn't appear to work:

Logged At:

August 30,2012 11:59:26.213 AM

RADIUS Status:

Authentication failed : 15039 Selected Authorization Profile is DenyAccess

NAS Failure:


Username:

00-15-C5-86-07-D4

MAC/IP Address:

00-15-C5-86-07-D4

Network Device:

Test Switch : 172.16.128.35 : FastEthernet0/14

Access Service:

Domain Wired

Identity Store:

Authorization Profiles:

DenyAccess

CTS Security Group:

Authentication Method:

Lookup

Then the second auth request is a success:

Logged At:

August 30,2012 11:59:26.873 AM

RADIUS Status:

Authentication  succeeded

NAS Failure:


Username:

host/Facemelter7.ssd.local

MAC/IP Address:

00-15-C5-86-07-D4

Network Device:

Test Switch : 172.16.128.35 : FastEthernet0/14

Access Service:

Domain Wired

Identity Store:

AD1

Authorization Profiles:

Permit Access

CTS Security Group:

Authentication Method:

PEAP(EAP-MSCHAPv2)

As you can see the failure and then success are about 5 tenths of a second apart so there's no impact really. 

But my question is this: Is this a good way to structure  the rules?  Every client behind a phone records an auth-failure and then  an auth-success in ACS, so it gives the appearance of a lot of  failures.  Is there a better way to do MAB?

Thanks!

Rob

Everyone's tags (4)
2 REPLIES 2
Advocate

New ACS 5.3 deployment - question around MAB

HI,

It seems as if your port settings are always using mab first then dot1x, what you can do to clean this up is to set dot1x first but with quick timers to that when the switch sents an eap-request, if an eap-response isnt sent with a few seconds it will then use mab (so that mab only clients do not timeout in the dhcp process).

What this does for your logging is that any dot1x capable client is authenticated without going through mab first which is generating this messages.

What hardware and version of code are you running and I can point you in the right direction, also please provide your current port configuration.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Explorer

Re: New ACS 5.3 deployment - question around MAB

Thanks Tarik,

I had considered using that method and tweaking the timers but this was a recommended alternative in some of the Cisco white papers.  I'll certainly try it out.

I am running 5.3.0.40.6 in VMware.  Current port config is as follows:

interface FastEthernet0/14

description 802.1X Test Port

switchport mode access

switchport block unicast

switchport voice vlan 100

srr-queue bandwidth share 10 10 60 20

priority-queue out

authentication event fail action next-method

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

The switch is a 2960 with 12.2(50)SE1 Lan Base