topic Re: 802.1x rejected then being approved via MAC auth in ExtremeCloud IQ- Site Engine Management Center

802.1x rejected then being approved via MAC auth

Anonymous — Thu, 24 Oct 2019 20:48:13 GMT

Hi All,

I’m sure this one is easy and is starring me in the face or missing something.

The screenshot below shows a 802.1x client being rejected as intended. The authentication is being proxied to an external RADIUS server.

What then seems to be happening is the end-system is getting on the network via MAC auth, and then hitting a rule as designed. But what is really meant to happen is the reject is meant to mean a reject when authenticating the first time around until the port state changes, thereby stopping access based on the failed 802.1x authentication.

Apologies I don’t have the exact versions of firmware to hand, but can get if required, but XMC running version 8.3 and EOS on the switches

The port is configured to do 802.1x / MAC / Web authentication.

My understanding here might not be completely right, but I’m expecting EAPOL traffic between the client and the switch, and on a RADIUS reject from the Authentication Server to the Authenticator (switch) the port should be denied access, and this looks like what seems to be happening from the screenshot and wireshark captures taken from NAC.

So I don’t understand if the supplicant is configured for 802.1x then only EAPOL traffic should be sent between it and the switch, how is able to pass traffic for the switch to be able to do MAC auth - does that mean this is a client issue, if so, being a Windows machine, what setting might correct it?

Many thanks in advance

Re: 802.1x rejected then being approved via MAC auth

Zdeněk_Pala — Fri, 25 Oct 2019 01:32:04 GMT

Hi Martin.

IMHO it is FAD for many platforms. E.g. on EXOS you have both MACauth and Dot1x running at the same time. On Cisco you have MAB following the Dot1x fails

The reason for this behavior:

imagine guest will connect to your network and the guest does have a supplicant configure for his network. Authentication will be rejected (your network does not have credentials for that guest). You still want to provide the guest with the captive portal.

If you want different behavior then you should configure the NAC to reject MAC authentication based on some criteria

I hope it helps.

Re: 802.1x rejected then being approved via MAC auth

Anonymous — Fri, 25 Oct 2019 04:43:01 GMT

Hi Zdenek,

Thanks for replying.

Wow, right, not obviously ever occurred to me, but makes sense.

In addition (as you allude too) we could turn off MAC auth on the port altogether, but think they use phones for that, unless we can get them to do some kind of 802.1x also?

I’ve used CEP authentication with phones before in EXOS, maybe use IDM to get data into NAC…..clutching at straws now…..

Be good to have an EXOS command that simply overrides the ‘Guest’ feature, with a reject staying as a reject until link state - maybe a feature request?

Now I know the reason its easier to think of ways to overcome it.

Much appreciated.

Cheers

Re: 802.1x rejected then being approved via MAC auth

Zdeněk_Pala — Fri, 25 Oct 2019 13:18:56 GMT

Hi,

if you do not want the “Guest” feature then you can:

configure NAC to answer for all phones (end-system group or OUI) with VoIP policy/vlan
combine the above OUI and device type (have in mind that the device type is detected after the first successful authentication )
configure NAC to answer for all other MAC auth requests to reject

It is very flexible = you can define what behavior you want and where...

Re: 802.1x rejected then being approved via MAC auth

Anonymous — Fri, 25 Oct 2019 16:01:59 GMT

Hi Zdenek,

Thanks for the info.

Think the customer was trying to be a little more blunt with the configuration, because they are using RADIUS proxy they wanted a reject from their RADIUS server to be a reject and stop there. As the reject is coming back at the authentication stage it doesn’t then pass to the NAC rule engine to do what you mentioned above.

Suggested a couple of things i.e.

Put in an authentication rule to allow local authentication and then pass directly onto the rule engine.
Have the External RADIUS server return an accept with a ‘Filter-ID’ that matches a deny rule.
Disable MAC auth on the port (believe this isn’t an option in their case)

Maybe there is a couple more ideas?

So I can hopefully contributing something helpful back too, what you describe is typically how I would configure things, a separate rule for each MAC auth device. With MAC auth being a weaker authentication I will apply an explicit ‘deny all’ and then just allow only what its trying to do.

I add whitelists in to bypass the deployed rules, just in case something doesn’t work because of a missed rule restriction. Also roll out piecemeal by just added switches to the ‘Production Switches’ as and when each area is moved. If they didn’t hit that they would just hit the catch all rule.

Once all migrated I either changed the catch all rule to deny traffic, or put them onto a guest network.

Would that be a similar’ish approach to what you would take?

Thanks

Re: 802.1x rejected then being approved via MAC auth

Zdeněk_Pala — Sun, 27 Oct 2019 02:44:40 GMT

HI Martin.

you are correct. if the upstream radius does reject then AccessControl Engine does pass reject to the radius client (switch/AP/VPN).

I would handle MAC authentications locally => you can fully control it by ExtremeControl configuration.

We can create workflow/script that will automatically reject MACauth if the dot1X reject is received by upstream radius server, but I am sure the customer will not like this solution as it may have consequences (guest access, the wrong password entered, expired certificate...). How would the customer want to recover from such a situation? like one reject will stop MAC-auth but when it will start again?

Re: 802.1x rejected then being approved via MAC auth

Ryan_Yacobucci — Mon, 28 Oct 2019 00:57:48 GMT

Hello Martin and Zdenek,

I want to say that we should have a setting on the EOS to get the desired behavior without rules engine creativity, but I can’t say that I’m 100% confident.

A couple things you may be able to try:

EoS defaults with “auth-optional”, meaning that if authentication is not successful it has no bearing on the port. Potentially “auth-required” may change the port behavior to not pass traffic if a reject is received.
Multi-auth mode set to “strict”.
I think that in this setting we will not attempt multiple types of authentication. If there is an 802.1x supplicant and we see EAP on the port we won’t attempt MAC auth. That way when EAP fails (Maybe add auth-required here) we’ll not attempt MAC authentication and not pass traffic.

Just throwing some ideas you can try to get the behavior you’d like, can’t say for sure if either of these will do the trick.

Thanks

-Ryan

Re: 802.1x rejected then being approved via MAC auth

Anonymous — Wed, 06 Nov 2019 17:44:36 GMT

Thanks Ryan, and Zdenek,

Will try and give these a go a report back if the suggestions helped.

Cheers,

Martin