cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x Issues between B5 and NAC

802.1x Issues between B5 and NAC

John_Kaftan
New Contributor III
First of all is anyone using wired 802.1x Authentication successfully with NAC? My goal is to have 802.1x be my first auth choice and Mac auth second and then use AD to push 802.1x settings to machines that are members of the domain. All other machines would likely authenticate via Mac auth. I have it set for user or computer authentication in the supplicant so when the computer first connects it authenticates as a computer and then flips to user auth when the user logs in. Then I can assign policy based on who the user is rather than based on the computer with Mac auth.

I have this all working......sort of. The problem I have is that periodically the computer flips into Mac auth after the user is logged in and has their profile. This is seemingly random. So the user is going along with their special profile and suddenly they get "Computer", which is what they get with Mac auth, and then they cannot get to whatever they need and they call me.

When I take a packet capture and trigger a reauth from NAC I see that the switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per client before NAC finally issues an Accept with the filterID. So far I only have one capture during the moment when a client flips from 802.1x auth to Mac auth. I see no associated RADIUS packet between NAC and the switch when that happens. So I cannot see how this is happening unless the switch is just changing that without talking to NAC. That should never happen.

At this point I'm pretty discouraged with 802.1x. I am thinking I am adding too much complexity to the process of a basic connection. If I roll this out over the whole campus there is any number of things that can bite me, the supplicant, the switch, NAC any time I upgrade anything I will be super nervous.

So is anybody else using 802.1x on wired as the primary way your users connect and if so are you able to get it stable? Also does anyone have any idea what is going on with my network?

John
9 REPLIES 9

John_Kaftan
New Contributor III
Thanks Ryan:

I will try your multiauth command. I double checked and in Policy manager authentication is not enabled on the uplink port. It is set to Inactive\Default Mode under the Port Mode tab. Is there anywhere else I can check to make sure eap is not enabled on the uplink port?

I do not have RADIUS accounting enabled for this switch. I will enable that. I do have it set for 802.1x for computer auth and then 802.1x for user auth. It works perfectly until the 802.1x session drops.

I do have a Reauth timer set for 36000 secs or 10 hours. I have tried disabling that but it has not helped.

Ryan_Yacobucci
Extreme Employee
Hello John,

Typically we see environments that are doing .1x for both host and user authentication. When the user logs out, the PC switches to .1x host authentication, and when he logs in we see a user authentication with the username of whomever signed in.

The main issue that I think is happening is a user .1x authenticated session is being dropped and MAC authentication is then the only option and takes over.

This can be proved by doing a "show multiauth session port x.x.x" when you see the .1x session drop in NAC and the MAC authentication takes over. If both sessions still exist then per precedence the port should show the .1x session still intact. If the output of the command shows the MAC authenticated session and not the .1x then the .1x user authenticated session has been disconnected.

If this is the case then we need to determine why the session has been disconnected. Is there any re-authentication timer on the switch that would disconnect the session?

Also, can you verify that RADIUS accounting is enabled on the switch and is pointing to NAC? There might be valuable information in the accounting packets to determine why the session is being dropped.

I have seen issues in the past with .1x user authenticated sessions being disconnected due to enabling eapol on uplink ports. I did not see in instance of this in the traces provided, but it's still a good idea to check as the main issue is that something is causing the existing .1x session to become disconnected.

Thanks
-Ryan

John_Kaftan
New Contributor III
Ok I see what you are saying. I set the computer to do User Authentication + Single Sign on. When the computer comes up it is MacAuth but it is on the network enough to talk to AD so when the user walks up to it and logs in it can authenticate. With SSO enabled Auth flips to 802.1x using the user's credentials and they can get the profile we assign them.

So with your method I am switching from MacAuth to 802.1x when people log in and log out. What I was doing was switching from computer 802.1x auth to User 802.1x auth. I still think what I was doing was fine and once the user was authenticated with 802.1x they should have stayed authenticated. I am ok with it either way. Can you think of a reason why there would be a difference between our two methods? I have set a machine up this way and will leave it logged in to see if it stays logged in as the user.

Thanks for the reply Jason.

John

John_Kaftan
New Contributor III
Jason that is the order of precedence that I have now. I am confused by "That way any PC registered will be MacAuth". My PCs come up as 802.1x auth as host/pc name until my users log in. Are you saying I should change my auth type in my supplicant form computer or user to just user?

Thanks for the reply.

GTM-P2G8KFN