cancel
Showing results for 
Search instead for 
Did you mean: 

MAC Auth Rejected but still allowing access to the network?

MAC Auth Rejected but still allowing access to the network?

Anonymous
Not applicable
Hi,

Currently have 802.1x and MAC authentication enabled on a port. The authentication method is set to optional, and the port also has a default role associated.

No VLAN's have been configured on the port, all VLANs are assigned via Netlogin.

The reason I have both 802.1x and MAC on the same port is to allow authentication for both a PC and a phone on the same port.

The reason I have a default role and optional authentication set is so that if both of the NAC's where to go offline then the default role would be applied to the port that also has a VLAN associated to it, for phones I'm using CEP.

The issue I have is that I have a phone and PC attached to a port. The phone is authenticates successfully and the PC is rejected - This is what I want as the PC isn't a known corporate device.

NAC and session data shows the PC has been rejected, and that no policy is being applied, and thereby no VLAN should be dynamically assigned and the PC shouldn't be able to connect to the network, but it can, but everything else says it shouldn't!?

See information below showing the PC has been rejected and not assigned any policy?

code:
Slot-1 Far-B20_23-L-GND.24 # show netlogin session ports 2:31
Multiple authentication session entries
---------------------------------------

Port : 2:31 Station address : 08:00:0f:3a:e8:f7
Auth status : success Last attempt : Fri Mar 29 14:17:45 2019
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 11 Policy name : Mitel Phones (active)
Session timeout : 0 Session duration : 0:02:39
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated


Port : 2:31 Station address : 8c:ec:4b:e2:9c:65
Auth status : failed Last attempt : Fri Mar 29 14:20:06 2019
Agent type : mac Session applied : false
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:00
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated

Slot-1 Far-B20_23-L-GND.25 # show netlogin port 2:31
Port : 2:31
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Optional (Policy Enabled only)
Max Supported Users : 6144 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 1 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------


MAC IP address Authenticated Type ReAuth-Timer User
08:00:0f:3a:e8:f7 0.0.0.0 Yes, Radius MAC 0 08000F3AE8F7
8c:ec:4b:e2:9c:65 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Here is the end-system showing a reject on the XMC / NAC and the policy defining the reject authentication request:

66bda8a28243458fb69cb7a48cb00c00_acc6b621-51fe-4e99-9ca3-b020cf17285f.png



66bda8a28243458fb69cb7a48cb00c00_4424ea0e-fc8a-43bf-953f-c4c5a560c5f6.png



Could it be that the authentication is showing failed rather than rejected. In netlogin session it shows MAC authenticated and the other shows the method 802.1x?

code:
03/29/2019 14:37:53.14  Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31


Here is the logs from the switch clearly showing the reject being returned for that device by NAC:

code:
03/29/2019 14:58:06.98  Slot-1: Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 132) from accounting server #1 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:06.96 Slot-1: Received an access accept (packet length 61, destination UDP port 32769, id 131) from authentication server #2 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:05.38 Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31
03/29/2019 14:58:05.38 Slot-1: Received an Authentication Access Reject (packet length 20, destination UDP port 32769, id 130) from authentication server #1 for 8C-EC-4B-E2-9C-65(userName '8CEC4BE29C65') on port 2:31.



Currently running XMC version 8.2.4.42
Switch X450G2 version 22.6.1.4

Many thanks in advance
7 REPLIES 7

Drew_C
Valued Contributor III
I don't have an answer for you, Martin, but I wanted to mention that I've submitted a ticket to see about not parsing MAC addresses with emojis in code tags. ?

Anonymous
Not applicable
So managed to get around this, by assigning a role that is set to Deny instead or a profile that's set to reject.

Still can't explain the behaviour, as I know for sure in the past even with the authentication set to optional if a reject is sent by RADIUS it stops the device getting on the network?

Maybe it is because its daisy chained off a phone, will be my next test.

Anonymous
Not applicable
Ok, so the issue went when setting the authentication to required.

So this ends up contradicting what was answered in this post:

https://community.extremenetworks.com/extremeswitching-exos-223284/fail-open-port-user-authenticatio...

Wondered if its because the device is hanging off the back of a phone?

The problem this causes me is if both NAC devices go offline, which the customer wants me to protect, if the port is set to authentication required the device will locked out of the network?
GTM-P2G8KFN