Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3029
Views
6
Helpful
5
Replies

How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

stoimen_hristov
Level 1
Level 1

‎03-26-2014 02:10 AM - edited ‎03-07-2019 06:52 PM

Good morning everybody,

I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:

What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.

What I have successfully managed to get to work so far is this:

1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.

Interface  MAC Address     Method   Domain   Status         Session ID          

Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)

Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)

2) On the other hand, when I try the same scenario with the authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.

show authentication sessions:

Interface  MAC Address     Method   Domain   Status         Session ID          

Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)

Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)

Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)

However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.

What I want to get is an output like this:

Interface  MAC Address     Method   Domain   Status         Session ID          

Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)

Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)

Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)

 

I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!

The configuration of the interface connected to the Dumb switch is as follows.

!
interface FastEthernet0/x                                                      

 description Connection to DUMBswitch                                            

 switchport mode access                                                         

 switchport voice vlan XXX                                                      

 switchport port-security maximum 10                                            

 switchport port-security                                                       

 switchport port-security violation protect                                     

 authentication host-mode multi-auth                                            

 authentication priority dot1x                                                  

 authentication port-control auto                                               

 authentication timer reauthenticate 4000                                       

 authentication violation replace                                               

 dot1x pae authenticator                                                        

 dot1x timeout tx-period 10                                                     

 spanning-tree portfast                                                         

!  

 

The way I see it is explained in the following steps:

- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.

- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.

Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.

Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?

Thank you

Stoimen Hristov

Labels:
0 Helpful
5 Replies 5

stoimen_hristov
Level 1
Level 1

‎03-26-2014 08:16 AM

Or can I add more DATA Domains in order to authenticate multiple users in different VLANs???

0 Helpful

stoimen_hristov
Level 1
Level 1

‎03-27-2014 05:09 AM

Any Cisco Advanced Engineer that might be able to help? 

Thank you

0 Helpful

Xavier Lloyd
Level 1
Level 1

‎03-27-2014 10:38 AM

Hi Stoimen,

I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.


From what I can see, you have 2 options available to you:

1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.

2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.

Hopefully someone else will chime in with another option.

Xavier

Mandlenkosi Nkiwane
Level 3
Level 3

‎03-28-2014 10:36 AM

Take a look at this thread, it might help:

 

https://supportforums.cisco.com/discussion/11054926/8021x-multi-domain-multiple-workstation

 

 

stoimen_hristov
Level 1
Level 1
In response to Mandlenkosi Nkiwane

‎03-31-2014 05:24 AM

Hi Xavier,

Thanks for the reply!

I am aware of the fact that the access mode does not tag the traffic. However, what I would like to achieve is to map each MAC address of any device authenticated to its proper VLAN assigned. This is what I am not aware, though. Are there any techniques to do that? (Unfortunately, throwing the switches is not a solution, as the budget does not allow it... ) 

NkiwaneMGI've checked this thread already. The discussion there is helpful to understand the difference between the different host-modes. Sadly, non of them does the job needed in my case!?

That is why I wanted to find a solution around. I hope this topic will attract more pros, as the situation is a very common one, but apparently not many solutions exist.

There must be something more!

Thank you a lot guys.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card