dot1x mac-auth-bypass CAN'T disable EAPOL

opers13 · ‎02-10-2009

I'm trying to configure MAC Auth against ACS. All documentation I found says it works..however EAPOL must be disabled so the switch can consider it as agentless host, and initiates the MAC authentication bypass process.

However, I can't seem to be able to disable EAPOL on WinXP..therefore can't get MAC bypass to work.

dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/34

EAPOL pak dump Tx

EAPOL Version: 0x2 type: 0x0 length: 0x0004

EAP code: 0x3 id: 0x1 length: 0x0004

dot1x-packet:dot1x_auth_txCannedSuccess: EAPOL packet sent out for the default authenticator

jafrazie · ‎02-10-2009

Check out the authentication tab of the local area connection properties window of the NIC on your machine. You can disable 1X there.

HTH,

opers13 · ‎02-11-2009

I'm using a different PC and it doesn't even have the Auth tab...

I also disabled Wireless Zero Configuration service...and nothing..the PC still sending EAPOL packets and it doesn't even talk to ACS at all...

SH DOTIX DEBUG:

14:05:21: dot1x-registry:dot1x_switch_port_linkcomingup invoked on interface Fa1/0/34

14:05:21: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet1/0/34 has changed to UP

14:05:21: dot1x_auth Fa1: initial state auth_initialize has enter

14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_initialize_enter called

14:05:21: dot1x_auth Fa1: during state auth_initialize, got event 1(cfg_force_auth)

14:05:21: @@@ dot1x_auth Fa1: auth_initialize -> auth_force_auth

14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_force_auth_enter called

14:05:21: dot1x-ev:Couldn't find a supplicant with mac 0000.0000.0000

14:05:21: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x3 id: 0x1 length: 0x0004 type: 0x0 data:

14:05:21: dot1x-ev:FastEthernet1/0/34:Sending EAPOL packet to group PAE address

14:05:21: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/34.

14:05:21: dot1x-registry:registry:dot1x_ether_macaddr called

14:05:21: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/34

14:05:21: EAPOL pak dump Tx

14:05:21: EAPOL Version: 0x2 type: 0x0 length: 0x0004

14:05:21: EAP code: 0x3 id: 0x1 length: 0x0004

14:05:21: dot1x-packet:dot1x_auth_txCannedSuccess: EAPOL packet sent out for the default authenticator

14:05:21: dot1x_auth_bend Fa1: initial state auth_bend_initialize has enter

14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_bend_initialize_enter called

14:05:21: dot1x_auth_bend Fa1: initial state auth_bend_initialize has idle

14:05:21: dot1x_auth_bend Fa1: during state auth_bend_initialize, got event 16383(idle)

14:05:21: @@@ dot1x_auth_bend Fa1: auth_bend_initialize -> auth_bend_idle

14:05:21: dot1x-sm:Fa1/0/34:0000.0000.0000:auth_bend_idle_enter called

14:05:21: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

14:05:21: dot1x-ev:Created a default authenticator instance on FastEthernet1/0/34

14:05:21: dot1x-registry:** dot1x_switch_vp_statechange:

14:05:21: dot1x-ev:vlan 1 vp is added on the interface FastEthernet1/0/34

14:05:21: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa1/0/34

14:05:23: %LINK-3-UPDOWN: Interface FastEthernet1/0/34, changed state to up

14:05:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/34, changed state to up

CONFIG-

aaa new-model

aaa authentication dot1x dot1x group radius

dot1x system-auth-control

!

interface FastEthernet1/0/34

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

dot1x reauthentication

spanning-tree portfast

radius-server host 10.10.10.20 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco

jafrazie · ‎02-11-2009

I see no evidence of 1X on the PC from the debug. Actually, you're enabled for 1X, but also in a force-authorized mode. You'll need to add "dot1x port-control auto" for it to work correctly, and deny access until you authenticate.

HTH,

mi204978 · ‎02-16-2009

Which service pack do you have installed?

Have you checked the following registry keys?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"

"SupplicantMode"

AuthMode has the following values:

0 - Computer authentication mode. If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to Service Pack 1).

1 - Computer authentication with re-authentication. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user credentials are used for subsequent authentication or re-authentication. Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP Service Pack 1 (SP1) and Windows Server 2003.

2 - Computer authentication only. When a user logs on, it has no effect on the connection. Only computer authentication is performed. The exception to this behavior is when a user successfully logs on, and then roams between wireless APs. In that case, user authentication is performed. For changes to this setting to take effect, restart the Wireless Zero Configuration service for Windows XP or Windows Server 2003.

SupplicantMode has the following values:

1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.

2 - Transmit. Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.

3 - Transmit per 802.1x. Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.

Alex Pfeil · ‎04-22-2009

For anyone reading the above config, I just wanted to say that this is a good example.

thanks,

alex pfeil