Fail open port / user authentication

  • 0
  • 2
  • Question
  • Updated 2 weeks ago
  • Answered
Apologies in advance if this is an easy one...

Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?

With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.

Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.

An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?

Possibly use something like the following:

configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22

Although some ports like phones might have multiple VLAN's, so not sure how that would work.

Possibly something else I haven't thought of or found?

Many thanks in advance

Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Posted 3 weeks ago

  • 0
  • 2
Photo of Brad Parker

Brad Parker, Technical Support Engineer

  • 3,592 Points 3k badge 2x thumb
Hi Martin,

I'm not sure if this is the question that you're asking--but what if you set the authentication to optional? That way if NAC/RADIUS are unavailable, users can still access the network. Is that an option?

configure netlogin port <port-number> authentication mode optional

Thanks
Brad

(Edited)
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi Brad, thanks for posting back.

The reason I haven't used that command is because I believed it would allow devices onto the network in normal operation even if they didn't authenticate. The only time I've really used it is when using NAC in monitoring mode i.e. MAC auth optional.

So I'm thinking yes it would do the trick, but at the same time bypass the port authentication security in the process under normal operation - would that be right?

The following GTAC article says the following:

https://gtacknowledge.extremenetworks.com/articles/Q_A/If-port-has-been-configured-for-authOptional-...

  • With authentication optional mode, the traffic from the client will be allowed even when it is not authenticated. i.e. authentication is not mandatory.
  • If the client failed to authenticate due to some reason (either server unreachable or wrong password or some other reason), then switch will still add the MAC in fdb table and stop initiating the re-auth request to the radius server.
  • The next authentication will be triggered only when fdb ages out or “clear fdb” is executed.
  • If the client gets successfully authenticated with this mode, then it will continue to send the re-auth request after every  policy session time-out.
  • But since this customer scenario deals about failed client, session time-out does not apply.
  • After aging time expires the failed entries will be deleted from netlogin however the FDB do not get cleared.
Many thanks,

Martin
(Edited)
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hey Martin,

You are correct if the environment that you're running in is 802.1x only. 802.1x relies on a supplicant on the end system in order to complete authentication. If the supplicant doesn't exist the end system could connect to the switch port and gain access without performing any type of authentication. 

However, MAC authentication doesn't require any supplicant or configuration from the end system itself. As long as the end system sources a packet, MAC authentication WILL perform MAC authentication on that end system as long as the AAA infrastructure is operating normally. With X and MAC enabled there will be some level of authentication for every device unless AAA is not functional. 

We have customers that have MAC authentication provide a "Quarantine" role that restricts network access until 802.1x is completed. In this environment the client will connect, initially obtain a "Quarantine" role, and once 802.1x completes it can elevate the policy to one that provides the desired level of access.

In this situation if a guest plugs in to the same port without a supplicant they will sit in "Quarantine" as MAC authentication will still complete. 

If AAA functionality is compromised the device will default to the static configuration on the port. You can set a default policy on the port as well that will be used if authentication fails.

Thanks
-Ryan

Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi Ryan,

Thanks for taking the time to respond, very helpful.

So I'll go away and play with this. Basically I'll need to enable MAC auth as well as 802.1x on all my ports, and define a default policy based on what I wont to do if AAA functionality fails.

Once done, I'll post back my netlogin configuration for reference.

Cheers.
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi Ryan,

Just working on this now. So have set the authentication order to MAC, 802.1x and Web. Additionally configured a default role that contains the port to a specific VLAN - Guest VLAN in this case. Only currently testing this on one port, 1:4.

Have disabled the NAC and testing if the end-system can still connect.

Looking at the logs the device first tries MAC auth then 802.1x but fails both, and then cant connect to the network.

Here is the log:

10/08/2018 10:30:35.07 <Info:nl.ClientAuthFailure> Slot-1: Authentication failed for Network Login 802.1x user host/CAN3079.domain.org.uk Mac B8:6B:23:82:06:85 port 1:4

10/08/2018 10:30:35.06 <Info:nl.ClientAuthFailure> Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4

The configuration for Netlogin and Policy is shown below:

enable netlogin dot1x mac 
configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin ports 1:4 dot1x 
enable netlogin ports 1:1-48,2:1-48,3:1-48 mac 
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$blVDSCrXyf9R/WdJIgkGS7+UVGf8Fg=="

configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 4095 cos-status "enable" cos 

configure policy rule admin-profile port 1:4 mask 16 port-string 1:4 admin-pid 5

This is the output from show netlogin:

Floor_18-EDGE-STK-02.1 # show netlogin port 1:4
Port                          : 1:4
Authentication                : 802.1x, mac-based
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 1024 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 0 (Policy Enabled only)
------------------------------------------------
        802.1x Port Configuration
------------------------------------------------
Quiet Period                  : 60
Supplicant Response Timeout   : 30
Re-authentication             : On
Re-authentication period      : 3600
Max Re-authentications        : 3
RADIUS server timeout         : 30
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 3600
Re-authentication             : Off
Authentication Delay          : 0 seconds (Default)
------------------------------------------------
        Netlogin Clients
------------------------------------------------

MAC                IP address       Authenticated     Type    ReAuth-Timer   User
b8:6b:23:82:06:85  0.0.0.0          No                802.1x  0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

So in this case, even though there is a default policy the client will not connect. What is odd is the type says 802.1x. So I decided to disable the supplicant on the client, clear the netlogin season for port 1:4 and reconnect.

When the device connects the logs now just show is trying MAC auth, no entry for 802.1x:

10/08/2018 10:48:39.15 <Info:nl.ClientAuthFailure> Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:48:39.15 <Warn:AAA.RADIUS.noServerResp> Slot-1: Attempted the configured number of retries (3) to each of the 1 authentication servers without a server response for B8-6B-23-82-06-85(username 'B86B23820685') on port 1:4.

When you look as the session information it still says the type is 802.1x, either way I can't get the port to fallback to the default role:

------------------------------------------------
        Netlogin Clients
------------------------------------------------

MAC                IP address       Authenticated     Type    ReAuth-Timer   User
b8:6b:23:82:06:85  0.0.0.0          No                802.1x  0
-----------------------------------------------

Just wondering if you can see anything wrong, maybe share the configuration in the example you have provided.

Many thanks in advance
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hey Martin,

I think you still have the port in authentication mode "required" 

Authentication Mode           : Required (Policy Enabled only)


What happens if you use Brad's command:

configure netlogin port <port-number> authentication mode optional

Thanks
-Ryan
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Ah, there lies my misconception.... thinking that optional mode related to 802.1x as well!

Set that the auth to optional, and now working as expected.

Really appreciate you help Ryan.

Thanks again 

Martin