dot1x and open authentication

rishi.sumbal · ‎06-15-2010

Hi,

Does anybody know if I still need an ACL, even if I don't want to filter anything with the open authentication?

I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :

IOS : 12.2(53)SE2

C3560-NAC-043#sh authentication sessions

Interface MAC Address Method Domain Status Session ID

Fa0/1 001a.e80c.1e70 mab VOICE Authz Success AC10FA2B0000005010BD2E9C

Fa0/1 001e.ec16.0ea0 N/A DATA Authz Failed AC10FA2B0000005110BD35D2

Global config :

aaa new-model
!
!
aaa group server radius HBM_NAC_Radius
server 172.16.250.123 auth-port 1812 acct-port 1813
!
aaa group server radius HBM_Login_Radius
server 172.16.249.239 auth-port 1812 acct-port 1813
server 172.18.20.215 auth-port 1812 acct-port 1813
!
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius

port config :

interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker

Thanks and regards

Rishi

Chetan Kumar Ress · ‎06-15-2010

Hi

If you want that user failed the dot1x authentication then he should access limited services as you define then you can configure

dot1x auth-fail vlan GUEST under fast ether interface & to limit the services you can configure VLAN ACL for Guest VLAN or else leave open in dont't

assign any ip address for guest VLAN.

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

Regards

Chetan Kumar

Anton Klementyev · ‎02-21-2011

We have the same problem, multi-auth + open authentication is permitting unauthenticated users to access the network, does anybody have the solution?

Do I need any downloadable ACLs when using open authentication?

Guest VLAN doesnt work with multi-auth(

Bastien Migette · ‎02-21-2011

Hello Rishi,

The open auth allows to let traffic flow through the port even if user is not authenticated.

to limit this, you have 2 possible scenarios:

1)

-add a 'pre auth' acl on the switchport (just create an ACL and apply it on the port using ip access-group xxx in)

-use dynamic ACLs on your ACS (or other radius) so that these ACL will override the pre auth one upon successful authentication

2)

-configure a default vlan (switchport access vlan) that is filtered on the gateway

-use dynamic vlan so that users will get an unrestricted VLAN upon successful authentication

Hope this helps.

rishi.sumbal · ‎03-07-2011

Hello Bastien,

Thanks, however I had opened a case for that and Cisco told me that the main purpose of open auth is to smoothly migrate to dot1x and monitor first the results. Your solutions help then limiting the access in a second phase of the migration I would say. The last phase would be to remove open auth.

Regards

Rishi

BuddeMcBudde · ‎03-20-2012

Does open authentication work with Dynamically Assigned VLANs?

If it does this could solve the PXE vs 802.1x battle.

I've tried open authentication with a filtered default vlan with no luck.