09-28-2007 12:03 AM - edited 02-21-2020 10:19 AM
Scenario: Cat3560 using 802.1x Multidomain Authentication (MDA) on the access ports. Which means Nortel Phones authenticating into the voice domain and cascaded PCs authenticating into the data domain on the same access port. MAC Authentication Bypass (MAB) takes care about 802.1x unaware hosts. RADIUS server is a MS IAS machine.
So far everything works perfectly. Now the customer wants to use Web Authentication as an additional fallback method.
Problem: The dot1x process doesn't get that far to offer Web Authentication in our setup, it seems to get stuck in MAB.
After a lot of testing I nailed the problem down to MDA. As soon as I change 'dot1x host-mode multi-domain' to 'dot1x host-mode single-host', Web Authentication starts to work.
Question: Does anybody know about restrictions regarding Web Auth and MDA?
Tested IOSes are 12.2(37)SE and 12.2(40)SE.
Below you'll see the outputs of 'sh dot1x int fa0/1 det', which represent the final port states:
Using MDA:
Dot1x Authenticator Client List
-------------------------------
Domain = UNKNOWN
Supplicant = 0018.8bae.c4ab
Auth SM State = AUTHENTICATING (FALLBACK)
Auth BEND SM State = IDLE
Port Status = UNAUTHORIZED
ReAuthPeriod = 0
ReAuthAction = Terminate
TimeToNextReauth = 0
Authentication Method = MAB
Using Single-Host:
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 0018.8bae.c4ab
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 0
ReAuthAction = Terminate
TimeToNextReauth = 0
Authentication Method = WebAuth
Authorized By = Authentication Server
Vlan Policy = N/A
Thanks for any help.
Toni
09-28-2007 11:10 AM
Web-Auth and MDA are not supported together.
09-30-2007 10:50 PM
Hi jafrazie
Thanks for your reply. Since you work with Cisco I assume this is an official statement.
Regarding the incompatibility of the two features: It would be nice if a) this restriction would be mentioned in the documentation somewhere and b) that IOS would deny the fallback command if MDA is already in use.
Toni
12-18-2008 01:50 AM
Hi All, what is the alternative? I'm having the same setup with only one ACS and the customer is asking for a fallback method
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: