Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

Web Authentication and MDA

tgrundbacher
Level 1
Level 1

‎09-28-2007 12:03 AM - edited ‎02-21-2020 10:19 AM

Scenario: Cat3560 using 802.1x Multidomain Authentication (MDA) on the access ports. Which means Nortel Phones authenticating into the voice domain and cascaded PCs authenticating into the data domain on the same access port. MAC Authentication Bypass (MAB) takes care about 802.1x unaware hosts. RADIUS server is a MS IAS machine.

So far everything works perfectly. Now the customer wants to use Web Authentication as an additional fallback method.

Problem: The dot1x process doesn't get that far to offer Web Authentication in our setup, it seems to get stuck in MAB.

After a lot of testing I nailed the problem down to MDA. As soon as I change 'dot1x host-mode multi-domain' to 'dot1x host-mode single-host', Web Authentication starts to work.

Question: Does anybody know about restrictions regarding Web Auth and MDA?

Tested IOSes are 12.2(37)SE and 12.2(40)SE.

Below you'll see the outputs of 'sh dot1x int fa0/1 det', which represent the final port states:

Using MDA:

Dot1x Authenticator Client List

-------------------------------

Domain = UNKNOWN

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATING (FALLBACK)

Auth BEND SM State = IDLE

Port Status = UNAUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = MAB

Using Single-Host:

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = WebAuth

Authorized By = Authentication Server

Vlan Policy = N/A

Thanks for any help.

Toni

Labels:
0 Helpful
3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

‎09-28-2007 11:10 AM

Web-Auth and MDA are not supported together.

0 Helpful

tgrundbacher
Level 1
Level 1
In response to jafrazie

‎09-30-2007 10:50 PM

Hi jafrazie

Thanks for your reply. Since you work with Cisco I assume this is an official statement.

Regarding the incompatibility of the two features: It would be nice if a) this restriction would be mentioned in the documentation somewhere and b) that IOS would deny the fallback command if MDA is already in use.

Toni

0 Helpful

k.abillama
Level 1
Level 1
In response to tgrundbacher

‎12-18-2008 01:50 AM

Hi All, what is the alternative? I'm having the same setup with only one ACS and the customer is asking for a fallback method

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents