Web Authentication and MDA

Unanswered Question
Sep 28th, 2007

Scenario: Cat3560 using 802.1x Multidomain Authentication (MDA) on the access ports. Which means Nortel Phones authenticating into the voice domain and cascaded PCs authenticating into the data domain on the same access port. MAC Authentication Bypass (MAB) takes care about 802.1x unaware hosts. RADIUS server is a MS IAS machine.

So far everything works perfectly. Now the customer wants to use Web Authentication as an additional fallback method.

Problem: The dot1x process doesn't get that far to offer Web Authentication in our setup, it seems to get stuck in MAB.

After a lot of testing I nailed the problem down to MDA. As soon as I change 'dot1x host-mode multi-domain' to 'dot1x host-mode single-host', Web Authentication starts to work.

Question: Does anybody know about restrictions regarding Web Auth and MDA?

Tested IOSes are 12.2(37)SE and 12.2(40)SE.

Below you'll see the outputs of 'sh dot1x int fa0/1 det', which represent the final port states:

Using MDA:

Dot1x Authenticator Client List

-------------------------------

Domain = UNKNOWN

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATING (FALLBACK)

Auth BEND SM State = IDLE

Port Status = UNAUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = MAB

Using Single-Host:

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = WebAuth

Authorized By = Authentication Server

Vlan Policy = N/A

Thanks for any help.

Toni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tgrundbacher Sun, 09/30/2007 - 22:50

Hi jafrazie

Thanks for your reply. Since you work with Cisco I assume this is an official statement.

Regarding the incompatibility of the two features: It would be nice if a) this restriction would be mentioned in the documentation somewhere and b) that IOS would deny the fallback command if MDA is already in use.

Toni

k.abillama Thu, 12/18/2008 - 01:50

Hi All, what is the alternative? I'm having the same setup with only one ACS and the customer is asking for a fallback method

Actions

This Discussion