Hi,
Currently have 802.1x and MAC authentication enabled on a port. The authentication method is set to optional, and the port also has a default role associated.
No VLAN's have been configured on the port, all VLANs are assigned via Netlogin.
The reason I have both 802.1x and MAC on the same port is to allow authentication for both a PC and a phone on the same port.
The reason I have a default role and optional authentication set is so that if both of the NAC's where to go offline then the default role would be applied to the port that also has a VLAN associated to it, for phones I'm using CEP.
The issue I have is that I have a phone and PC attached to a port. The phone is authenticates successfully and the PC is rejected - This is what I want as the PC isn't a known corporate device.
NAC and session data shows the PC has been rejected, and that no policy is being applied, and thereby no VLAN should be dynamically assigned and the PC shouldn't be able to connect to the network, but it can, but everything else says it shouldn't!?
See information below showing the PC has been rejected and not assigned any policy?
Here is the end-system showing a reject on the XMC / NAC and the policy defining the reject authentication request:
Could it be that the authentication is showing failed rather than rejected. In netlogin session it shows MAC authenticated and the other shows the method 802.1x?
Here is the logs from the switch clearly showing the reject being returned for that device by NAC:
Currently running XMC version 8.2.4.42
Switch X450G2 version 22.6.1.4
Many thanks in advance
Currently have 802.1x and MAC authentication enabled on a port. The authentication method is set to optional, and the port also has a default role associated.
No VLAN's have been configured on the port, all VLANs are assigned via Netlogin.
The reason I have both 802.1x and MAC on the same port is to allow authentication for both a PC and a phone on the same port.
The reason I have a default role and optional authentication set is so that if both of the NAC's where to go offline then the default role would be applied to the port that also has a VLAN associated to it, for phones I'm using CEP.
The issue I have is that I have a phone and PC attached to a port. The phone is authenticates successfully and the PC is rejected - This is what I want as the PC isn't a known corporate device.
NAC and session data shows the PC has been rejected, and that no policy is being applied, and thereby no VLAN should be dynamically assigned and the PC shouldn't be able to connect to the network, but it can, but everything else says it shouldn't!?
See information below showing the PC has been rejected and not assigned any policy?
code:
Slot-1 Far-B20_23-L-GND.24 # show netlogin session ports 2:31
Multiple authentication session entries
---------------------------------------
Port : 2:31 Station address : 08:00:0f:3a:e8:f7
Auth status : success Last attempt : Fri Mar 29 14:17:45 2019
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 11 Policy name : Mitel Phones (active)
Session timeout : 0 Session duration : 0:02:39
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated
Port : 2:31 Station address : 8c:ec:4b:e2:9c:65
Auth status : failed Last attempt : Fri Mar 29 14:20:06 2019
Agent type : mac Session applied : false
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:00
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated
Slot-1 Far-B20_23-L-GND.25 # show netlogin port 2:31
Port : 2:31
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Optional (Policy Enabled only)
Max Supported Users : 6144 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 1 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
08:00:0f:3a:e8:f7 0.0.0.0 Yes, Radius MAC 0 08000F3AE8F7
8c:ec:4b:e2:9c:65 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Here is the end-system showing a reject on the XMC / NAC and the policy defining the reject authentication request:
Could it be that the authentication is showing failed rather than rejected. In netlogin session it shows MAC authenticated and the other shows the method 802.1x?
code:
03/29/2019 14:37:53.14 Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31
Here is the logs from the switch clearly showing the reject being returned for that device by NAC:
code:
03/29/2019 14:58:06.98 Slot-1: Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 132) from accounting server #1 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:06.96 Slot-1: Received an access accept (packet length 61, destination UDP port 32769, id 131) from authentication server #2 for 08-00-0F-3A-E8-F7(userName '08000F3AE8F7') on port 2:31.
03/29/2019 14:58:05.38 Slot-1: Authentication failed for Network Login MAC user 8CEC4BE29C65 Mac 8C:EC:4B:E2:9C:65 port 2:31
03/29/2019 14:58:05.38 Slot-1: Received an Authentication Access Reject (packet length 20, destination UDP port 32769, id 130) from authentication server #1 for 8C-EC-4B-E2-9C-65(userName '8CEC4BE29C65') on port 2:31.
Currently running XMC version 8.2.4.42
Switch X450G2 version 22.6.1.4
Many thanks in advance
