This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Security
- 802.1x Issues between B5 and NAC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x Issues between B5 and NAC
802.1x Issues between B5 and NAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2014 02:11 PM
First of all is anyone using wired 802.1x Authentication successfully with NAC? My goal is to have 802.1x be my first auth choice and Mac auth second and then use AD to push 802.1x settings to machines that are members of the domain. All other machines would likely authenticate via Mac auth. I have it set for user or computer authentication in the supplicant so when the computer first connects it authenticates as a computer and then flips to user auth when the user logs in. Then I can assign policy based on who the user is rather than based on the computer with Mac auth.
I have this all working......sort of. The problem I have is that periodically the computer flips into Mac auth after the user is logged in and has their profile. This is seemingly random. So the user is going along with their special profile and suddenly they get "Computer", which is what they get with Mac auth, and then they cannot get to whatever they need and they call me.
When I take a packet capture and trigger a reauth from NAC I see that the switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per client before NAC finally issues an Accept with the filterID. So far I only have one capture during the moment when a client flips from 802.1x auth to Mac auth. I see no associated RADIUS packet between NAC and the switch when that happens. So I cannot see how this is happening unless the switch is just changing that without talking to NAC. That should never happen.
At this point I'm pretty discouraged with 802.1x. I am thinking I am adding too much complexity to the process of a basic connection. If I roll this out over the whole campus there is any number of things that can bite me, the supplicant, the switch, NAC any time I upgrade anything I will be super nervous.
So is anybody else using 802.1x on wired as the primary way your users connect and if so are you able to get it stable? Also does anyone have any idea what is going on with my network?
John
I have this all working......sort of. The problem I have is that periodically the computer flips into Mac auth after the user is logged in and has their profile. This is seemingly random. So the user is going along with their special profile and suddenly they get "Computer", which is what they get with Mac auth, and then they cannot get to whatever they need and they call me.
When I take a packet capture and trigger a reauth from NAC I see that the switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per client before NAC finally issues an Accept with the filterID. So far I only have one capture during the moment when a client flips from 802.1x auth to Mac auth. I see no associated RADIUS packet between NAC and the switch when that happens. So I cannot see how this is happening unless the switch is just changing that without talking to NAC. That should never happen.
At this point I'm pretty discouraged with 802.1x. I am thinking I am adding too much complexity to the process of a basic connection. If I roll this out over the whole campus there is any number of things that can bite me, the supplicant, the switch, NAC any time I upgrade anything I will be super nervous.
So is anybody else using 802.1x on wired as the primary way your users connect and if so are you able to get it stable? Also does anyone have any idea what is going on with my network?
John
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2014 02:44 PM
Thanks Ryan:
I will try your multiauth command. I double checked and in Policy manager authentication is not enabled on the uplink port. It is set to Inactive\Default Mode under the Port Mode tab. Is there anywhere else I can check to make sure eap is not enabled on the uplink port?
I do not have RADIUS accounting enabled for this switch. I will enable that. I do have it set for 802.1x for computer auth and then 802.1x for user auth. It works perfectly until the 802.1x session drops.
I do have a Reauth timer set for 36000 secs or 10 hours. I have tried disabling that but it has not helped.
I will try your multiauth command. I double checked and in Policy manager authentication is not enabled on the uplink port. It is set to Inactive\Default Mode under the Port Mode tab. Is there anywhere else I can check to make sure eap is not enabled on the uplink port?
I do not have RADIUS accounting enabled for this switch. I will enable that. I do have it set for 802.1x for computer auth and then 802.1x for user auth. It works perfectly until the 802.1x session drops.
I do have a Reauth timer set for 36000 secs or 10 hours. I have tried disabling that but it has not helped.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2014 02:06 PM
Hello John,
Typically we see environments that are doing .1x for both host and user authentication. When the user logs out, the PC switches to .1x host authentication, and when he logs in we see a user authentication with the username of whomever signed in.
The main issue that I think is happening is a user .1x authenticated session is being dropped and MAC authentication is then the only option and takes over.
This can be proved by doing a "show multiauth session port x.x.x" when you see the .1x session drop in NAC and the MAC authentication takes over. If both sessions still exist then per precedence the port should show the .1x session still intact. If the output of the command shows the MAC authenticated session and not the .1x then the .1x user authenticated session has been disconnected.
If this is the case then we need to determine why the session has been disconnected. Is there any re-authentication timer on the switch that would disconnect the session?
Also, can you verify that RADIUS accounting is enabled on the switch and is pointing to NAC? There might be valuable information in the accounting packets to determine why the session is being dropped.
I have seen issues in the past with .1x user authenticated sessions being disconnected due to enabling eapol on uplink ports. I did not see in instance of this in the traces provided, but it's still a good idea to check as the main issue is that something is causing the existing .1x session to become disconnected.
Thanks
-Ryan
Typically we see environments that are doing .1x for both host and user authentication. When the user logs out, the PC switches to .1x host authentication, and when he logs in we see a user authentication with the username of whomever signed in.
The main issue that I think is happening is a user .1x authenticated session is being dropped and MAC authentication is then the only option and takes over.
This can be proved by doing a "show multiauth session port x.x.x" when you see the .1x session drop in NAC and the MAC authentication takes over. If both sessions still exist then per precedence the port should show the .1x session still intact. If the output of the command shows the MAC authenticated session and not the .1x then the .1x user authenticated session has been disconnected.
If this is the case then we need to determine why the session has been disconnected. Is there any re-authentication timer on the switch that would disconnect the session?
Also, can you verify that RADIUS accounting is enabled on the switch and is pointing to NAC? There might be valuable information in the accounting packets to determine why the session is being dropped.
I have seen issues in the past with .1x user authenticated sessions being disconnected due to enabling eapol on uplink ports. I did not see in instance of this in the traces provided, but it's still a good idea to check as the main issue is that something is causing the existing .1x session to become disconnected.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2014 09:35 PM
Ok I see what you are saying. I set the computer to do User Authentication + Single Sign on. When the computer comes up it is MacAuth but it is on the network enough to talk to AD so when the user walks up to it and logs in it can authenticate. With SSO enabled Auth flips to 802.1x using the user's credentials and they can get the profile we assign them.
So with your method I am switching from MacAuth to 802.1x when people log in and log out. What I was doing was switching from computer 802.1x auth to User 802.1x auth. I still think what I was doing was fine and once the user was authenticated with 802.1x they should have stayed authenticated. I am ok with it either way. Can you think of a reason why there would be a difference between our two methods? I have set a machine up this way and will leave it logged in to see if it stays logged in as the user.
Thanks for the reply Jason.
John
So with your method I am switching from MacAuth to 802.1x when people log in and log out. What I was doing was switching from computer 802.1x auth to User 802.1x auth. I still think what I was doing was fine and once the user was authenticated with 802.1x they should have stayed authenticated. I am ok with it either way. Can you think of a reason why there would be a difference between our two methods? I have set a machine up this way and will leave it logged in to see if it stays logged in as the user.
Thanks for the reply Jason.
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2014 08:53 PM
Jason that is the order of precedence that I have now. I am confused by "That way any PC registered will be MacAuth". My PCs come up as 802.1x auth as host/pc name until my users log in. Are you saying I should change my auth type in my supplicant form computer or user to just user?
Thanks for the reply.
Thanks for the reply.
