11-28-2014 12:22 AM - edited 03-07-2019 09:42 PM
Hi guys, We have configures 802.1x on Our infrastructure and have used Intel AMT, which enables adding .1x profiles to Bios, which should enable authentication bypass and thus allow PXE boot on machines. We are using Cisco Catalyst 3000 series mostly, however in a testing lab i have tried configuring this without any Luck! the switch configuration is rather basic, but Radius authentication is working both while in fully operational Windows environment as well in BIOS, but still while PXE booting no DHCP information is aquired, could you please guide us what we are missing? I am not a network person, and am a newbie.
Switch configuration:
Current configuration : 2165 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2950
!
aaa new-model
aaa authentication login default line none
aaa authentication dot1x default group radius
aaa authentication dot1x group group radius
aaa authorization network default group radius
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport access vlan 50
switchport mode access
dot1x port-control auto
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 50
switchport mode access
dot1x port-control auto
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 30
switchport mode access
dot1x port-control auto
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
switchport access vlan 50
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan50
ip address 10.11.12.90 255.255.255.0
ip helper-address 10.11.12.3
no ip route-cache
!
ip default-gateway 10.11.12.1
ip http server
radius-server host 10.11.12.40 auth-port 1812 acct-port 1813 key 123
radius-server retransmit 3
!
line con 0
line vty 0 4
password keepOut
line vty 5 15
password keepOut
!
!
end
When the Client i operating in Windows OS we are seeing:
2950#show dot1x interface fastEthernet 0/2
Supplicant MAC ecf4.bb63.1cd6
AuthSM State = AUTHENTICATED
BendSM State = IDLE
Posture = N/A
PortStatus = AUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 30
While the Client is PXE booting:
2950#show dot1x interface fastEthernet 0/2
Supplicant MAC ecf4.bb63.1cd6
AuthSM State = AUTHENTICATED
BendSM State = IDLE
Posture = N/A
PortStatus = AUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 30
But nothing happens on the Client side, it stays stuck on waiting on DHCP server, on the Radius server I can see the request being authorized and getting full Access in response. The same behaviour is also being shown in the Switch, but why are not we able to PXE boot? Is this some sort of a Routing problem or is it something else? If I Connect to a different port, but without Dot1x, I am able to PXe boot, as the PXE server is also placed in the same vlan.
Hope someone can guide me, thanking you all in advance.
Best regards,
Sean
Solved! Go to Solution.
11-28-2014 04:44 AM
Hi Sean,
you need to configure LOW IMPACT MODE. There is ACL on te switchport, which allows Layer 2 Trafic.
Expample:
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit ip any host 10.135.31.68
remark Drop all the rest
deny ip any any log
!
int gi0/1
ip access-group ACL-DEFAULT in
After Authentication your Radius should send a dACL with permit ip any any
PORTCONFIG:
interface GigabitEthernet0/2
switchport access vlan 998
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication timer restart 900
authentication timer inactivity server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
spanning-tree bpduguard enable
Regards Horst
11-28-2014 04:44 AM
Hi Sean,
you need to configure LOW IMPACT MODE. There is ACL on te switchport, which allows Layer 2 Trafic.
Expample:
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit ip any host 10.135.31.68
remark Drop all the rest
deny ip any any log
!
int gi0/1
ip access-group ACL-DEFAULT in
After Authentication your Radius should send a dACL with permit ip any any
PORTCONFIG:
interface GigabitEthernet0/2
switchport access vlan 998
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication timer restart 900
authentication timer inactivity server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-req 3
dot1x max-reauth-req 1
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
spanning-tree bpduguard enable
Regards Horst
11-28-2014 01:16 PM
Hi Horst, and thanks for the reply. I have tried adding the ACL, but cant seem to get it to work. I get an error which says
%Error:The field sets of all the ACEs in an ACL on Ethernet interface should match. Please refer to the Software Configuration Guide to understand one mask restriction for ACLs on Ethernet interface
This error message means that one or more of the ACEs in an ACL must have the same mask.
Change the ACEs to have the same mask as the other ACEs in the ACL.
I must also mention that I only have a 2950 at home, in the lab environment, but will have 3000 series available at the office. But anyways, it seems like the 2950 also has the option to add ACL on port level. I had to omit some lines from the ACL as you provided above, as I was getting errors. So I ended up adding
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark PXE / TFTP
permit udp any any eq tftp
Now when i try to assign the ACL to a port I get the error mentioned above. I have tried to search a bit around, but can seem to really understand what the error means. So what is the error actually refering to as masks? Its not submask, that im sure of :) its not that we are defining to conditions in the DHCP rule?
And thank you sooo much for the help and guidance till now. Have a great weekend.
Best regards,
Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide