Question

MAC Auth Rejected but still allowing access to the network?

  • 29 March 2019
  • 7 replies
  • 496 views

Userlevel 5
Hi,

Currently have 802.1x and MAC authentication enabled on a port. The authentication method is set to optional, and the port also has a default role associated.

No VLAN's have been configured on the port, all VLANs are assigned via Netlogin.

The reason I have both 802.1x and MAC on the same port is to allow authentication for both a PC and a phone on the same port.

The reason I have a default role and optional authentication set is so that if both of the NAC's where to go offline then the default role would be applied to the port that also has a VLAN associated to it, for phones I'm using CEP.

The issue I have is that I have a phone and PC attached to a port. The phone is authenticates successfully and the PC is rejected - This is what I want as the PC isn't a known corporate device.

NAC and session data shows the PC has been rejected, and that no policy is being applied, and thereby no VLAN should be dynamically assigned and the PC shouldn't be able to connect to the network, but it can, but everything else says it shouldn't!?

See information below showing the PC has been rejected and not assigned any policy?

code:
Slot-1 Far-B20_23-L-GND.24 # show netlogin session ports 2:31
Multiple authentication session entries
---------------------------------------

Port : 2:31 Station address : 08:00:0f:3a:e8:f7
Auth status : success Last attempt : Fri Mar 29 14:17:45 2019
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 11 Policy name : Mitel Phones (active)
Session timeout : 0 Session duration : 0:02:39
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated


Port : 2:31 Station address : 8c:ec:4b:e2:9c:65
Auth status : failed Last attempt : Fri Mar 29 14:20:06 2019
Agent type : mac Session applied : false
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:00
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated

Slot-1 Far-B20_23-L-GND.25 # show netlogin port 2:31
Port : 2:31
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Optional (Policy Enabled only)
Max Supported Users : 6144 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 1 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------


MAC IP address Authenticated Type ReAuth-Timer User
08:00:0f:3a:e8:f7 0.0.0.0 Yes, Radius MAC 0 08000F3AE8F7
8c:ec:4b:e2:9c:65 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Here is the end-system showing a reject on the XMC / NAC and the policy defining the reject authentication request:





Could it be that the authentication is showing failed rather than rejected. In netlogin session it shows MAC authenticated and the other shows the method 802.1x?

code:
03/29/2019 14:37:53.14  Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31


Here is the logs from the switch clearly showing the reject being returned for that device by NAC:

code:
03/29/2019 14:58:06.98  Slot-1: Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 132) from accounting server #1 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:06.96 Slot-1: Received an access accept (packet length 61, destination UDP port 32769, id 131) from authentication server #2 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:05.38 Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31
03/29/2019 14:58:05.38 Slot-1: Received an Authentication Access Reject (packet length 20, destination UDP port 32769, id 130) from authentication server #1 for 8C-EC-4B-E2-9C-65(userName '8CEC4BE29C65') on port 2:31.



Currently running XMC version 8.2.4.42
Switch X450G2 version 22.6.1.4

Many thanks in advance

7 replies

Userlevel 5
Ok, so the issue went when setting the authentication to required.

So this ends up contradicting what was answered in this post:

https://community.extremenetworks.com/extremeswitching-exos-223284/fail-open-port-user-authentication-7798069

Wondered if its because the device is hanging off the back of a phone?

The problem this causes me is if both NAC devices go offline, which the customer wants me to protect, if the port is set to authentication required the device will locked out of the network?
Userlevel 5
So managed to get around this, by assigning a role that is set to Deny instead or a profile that's set to reject.

Still can't explain the behaviour, as I know for sure in the past even with the authentication set to optional if a reject is sent by RADIUS it stops the device getting on the network?

Maybe it is because its daisy chained off a phone, will be my next test.
Userlevel 7
I don't have an answer for you, Martin, but I wanted to mention that I've submitted a ticket to see about not parsing MAC addresses with emojis in code tags. 😎
Userlevel 5
I don't have an answer for you, Martin, but I wanted to mention that I've submitted a ticket to see about not parsing MAC addresses with emojis in code tags. 😎
No problem, did wonder why that showed up. Thanks.
Userlevel 6
Do you have a move-fail-action configured for netlogin?
Userlevel 5
Hi Stephen,

I've managed this for the time being by changing the authentication to required, and instead of sending a reject I am assigning a 'Deny' policy. This seems to work.

The problem I need to solve later is configuring a method that allows devices to connect to the network should both the NAC's fail. A very unlikely scenario, but the scare is it still being a slight possibly nonetheless and the worry of being completely locked out of the network.

Anyway, none of these commands seem to be available on the switch?

code:
enable netlogin authentication failure vlan ports 
configure netlogin authentication failure vlan
configure netlogin authentication service-unavailable vlan
enable netlogin authentication service-unavailable vlan ports
configure netlogin move-fail-action authenticate


Could be missing something from my NetLogin configuration, which was all added via XMC:

code:
enable netlogin dot1x mac 
enable netlogin ports 1:1-40,2:1-40,3:1-40,4:1-40 dot1x
enable netlogin ports 1:1-48,2:1-48,3:1-48,4:1-48 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$6f3bLrPkp2YVthcq0KVaUTd3tAiE5g=="


Switch X450G2 version 22.6.1.4

Thanks.
Userlevel 6
With your config, each authenticated device should be assigned VLANs based on their MAC address. The behavior you are seeing is wrong. I would recommend running a quick test on 22.5 patch 1-3 to see if you get different results.

Reply