dot1x with authentication open

Unanswered Question
Feb 9th, 2010

I am building a test setup with open authentication and i am trying to get the theory right.

First the scenario for which we are going to use dot1x with open authentication:

We want to deploy dot1x throughout our network, which includes a number of users which logon to a domain.

With open authentication I want to allow AD/DNS/DHCP before dot1x authentication and then use dot1x (PEAP ms-chapv2) to authenticate the user before allowing normal traffic to proceed.

Correct me if i'm wrong but from what i gathered from several documents it should work like the following:

1) The switchport to which the user connects is setup for "authentication open" and has a PRE-AUTH ACL inbound configured on it which contains all the holes it needs for AD/DNS/DHCP

2) The User then authenticates through his logon

3) The user identity is used to authenticate the switchport as well and a ACL is downloaded from our MS-IAS which allows for normall traffic

Is the above theory correct or am i missing a crucial bit.

The problem i currently have is that the ACL is never downloaded from our MS-IAS, we are running 4506's with 12.2(50)SG2

The policy i tested returns the folowing attributes:

Cisco-AV-Pair: ip:inacl#1=permit ip any any

port config used is:

switchport access vlan xxx
switchport mode access
authentication open
dot1x pae authenticator
authentication port-control auto
ip access-group <acl-name> in

global config contains:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server vsa send authentication

and of course i have defined my radius servers in my config

Anyone have any ideas or pointers where to look?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
drienties Mon, 02/22/2010 - 03:37

Found a problem in my setup, Downloadable ACL's are only supported by Cisco ACS.

But as of IOS 12.2(52)SG filter-id and per-user acl's are available, which basicly do the exact same thing but support 3rd party aaa servers like MS-IAS

rishi.sumbal Tue, 06/15/2010 - 05:26


Do you know if you always need an ACL, even if you don't want to filter anything with the open authentication?

I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normale Tabelle"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

C3560-NAC-043#sh authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID

Fa0/1      001a.e80c.1e70  mab      VOICE    Authz Success  AC10FA2B0000005010BD2E9C

Fa0/1      001e.ec16.0ea0  N/A      DATA     Authz Failed   AC10FA2B0000005110BD35D2

Global config :

aaa new-model
aaa group server radius HBM_NAC_Radius
server auth-port 1812 acct-port 1813
aaa group server radius HBM_Login_Radius
server auth-port 1812 acct-port 1813
server auth-port 1812 acct-port 1813
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius

port config :

interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker

Thanks and regards



This Discussion