This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MAC Auth Rejected but still allowing access to the network?

MAC Auth Rejected but still allowing access to the network?

Anonymous
Not applicable

‎03-29-2019 01:38 PM

Hi,

Currently have 802.1x and MAC authentication enabled on a port. The authentication method is set to optional, and the port also has a default role associated.

No VLAN's have been configured on the port, all VLANs are assigned via Netlogin.

The reason I have both 802.1x and MAC on the same port is to allow authentication for both a PC and a phone on the same port.

The reason I have a default role and optional authentication set is so that if both of the NAC's where to go offline then the default role would be applied to the port that also has a VLAN associated to it, for phones I'm using CEP.

The issue I have is that I have a phone and PC attached to a port. The phone is authenticates successfully and the PC is rejected - This is what I want as the PC isn't a known corporate device.

NAC and session data shows the PC has been rejected, and that no policy is being applied, and thereby no VLAN should be dynamically assigned and the PC shouldn't be able to connect to the network, but it can, but everything else says it shouldn't!?

See information below showing the PC has been rejected and not assigned any policy?

code:
Slot-1 Far-B20_23-L-GND.24 # show netlogin session ports 2:31
Multiple authentication session entries
---------------------------------------

Port      : 2:31    Station address  : 08:00:0f:3a:e8:f7 
Auth status   : success   Last attempt   : Fri Mar 29 14:17:45 2019    
Agent type   : mac     Session applied  : true
Server type   : radius   VLAN-Tunnel-Attr : None
Policy index  : 11     Policy name    : Mitel Phones (active)
Session timeout : 0      Session duration : 0:02:39            
Idle timeout  : 300     Idle time     : 0:00:00            
Auth-Override  : disabled  Termination time : Not Terminated


Port      : 2:31    Station address  : 8c:ec:4b:e2:9c:65 
Auth status   : failed   Last attempt   : Fri Mar 29 14:20:06 2019    
Agent type   : mac     Session applied  : false
Server type   : radius   VLAN-Tunnel-Attr : None
Policy index  : 0      Policy name    : No Policy applied
Session timeout : 0      Session duration : 0:00:00            
Idle timeout  : 300     Idle time     : 0:00:00            
Auth-Override  : disabled  Termination time : Not Terminated

Slot-1 Far-B20_23-L-GND.25 # show netlogin port 2:31
Port             : 2:31
Authentication        : 802.1x, mac-based
Port State          : Enabled
Authentication Mode      : Optional (Policy Enabled only)
Max Supported Users      : 6144 (Policy Enabled only)
Allowed Users         : 128 (Policy Enabled only)
Current Users         : 1 (Policy Enabled only)
------------------------------------------------
    802.1x Port Configuration
------------------------------------------------
Quiet Period         : 60
Supplicant Response Timeout  : 30
Re-authentication       : On
Re-authentication period   : 3600
Max Re-authentications    : 3
RADIUS server timeout     : 30
------------------------------------------------
    MAC Mode Port Configuration
------------------------------------------------
Re-authentication period   : 3600
Re-authentication       : Off
Authentication Delay     : 0 seconds (Default)
------------------------------------------------
    Netlogin Clients
------------------------------------------------


MAC                IP address       Authenticated     Type    ReAuth-Timer   User          
08:00:0f:3a:e8:f7  0.0.0.0          Yes, Radius       MAC     0              08000F3AE8F7
8c:ec:4b:e2:9c:65  0.0.0.0          No                802.1x  0              
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Here is the end-system showing a reject on the XMC / NAC and the policy defining the reject authentication request:

66bda8a28243458fb69cb7a48cb00c00_acc6b621-51fe-4e99-9ca3-b020cf17285f.png



66bda8a28243458fb69cb7a48cb00c00_4424ea0e-fc8a-43bf-953f-c4c5a560c5f6.png



Could it be that the authentication is showing failed rather than rejected. In netlogin session it shows MAC authenticated and the other shows the method 802.1x?

code:
03/29/2019 14:37:53.14  Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31


Here is the logs from the switch clearly showing the reject being returned for that device by NAC:

code:
03/29/2019 14:58:06.98  Slot-1: Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 132) from accounting server #1 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:06.96  Slot-1: Received an access accept (packet length 61, destination UDP port 32769, id 131) from authentication server #2 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:05.38  Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31
03/29/2019 14:58:05.38  Slot-1: Received an Authentication Access Reject (packet length 20, destination UDP port 32769, id 130) from authentication server #1 for 8C-EC-4B-E2-9C-65(userName '8CEC4BE29C65') on port 2:31.



Currently running XMC version 8.2.4.42
Switch X450G2 version 22.6.1.4

Many thanks in advance
0 Kudos
7 REPLIES 7

StephenW
Extreme Employee

‎04-08-2019 02:10 PM

With your config, each authenticated device should be assigned VLANs based on their MAC address. The behavior you are seeing is wrong. I would recommend running a quick test on 22.5 patch 1-3 to see if you get different results.
0 Kudos

Anonymous
Not applicable

‎04-08-2019 01:23 PM

Hi Stephen,

I've managed this for the time being by changing the authentication to required, and instead of sending a reject I am assigning a 'Deny' policy. This seems to work.

The problem I need to solve later is configuring a method that allows devices to connect to the network should both the NAC's fail. A very unlikely scenario, but the scare is it still being a slight possibly nonetheless and the worry of being completely locked out of the network.

Anyway, none of these commands seem to be available on the switch?

code:
enable netlogin authentication failure vlan ports 
configure netlogin authentication failure vlan 
configure netlogin authentication service-unavailable vlan
enable netlogin authentication service-unavailable vlan ports
configure netlogin move-fail-action authenticate


Could be missing something from my NetLogin configuration, which was all added via XMC:

code:
enable netlogin dot1x mac 
enable netlogin ports 1:1-40,2:1-40,3:1-40,4:1-40 dot1x 
enable netlogin ports 1:1-48,2:1-48,3:1-48,4:1-48 mac 
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$6f3bLrPkp2YVthcq0KVaUTd3tAiE5g=="


Switch X450G2 version 22.6.1.4

Thanks.
0 Kudos

StephenW
Extreme Employee

‎04-01-2019 08:33 PM

Do you have a move-fail-action configured for netlogin?
0 Kudos

Anonymous
Not applicable

‎03-31-2019 07:25 PM


No problem, did wonder why that showed up. Thanks.
0 Kudos
GTM-P2G8KFN