ACS and MAC address authentication on 3850 switches
I've been using ACS to authenticate client mac addresses on 3750 and 3750x switches for some time (to ensure only known MACs gain access to the network) and everything has been working happily. However, I've just begun rolling out 3850 switches at the edge and I've hit a problem.
Using MAB and dot1x authentication configured on the access ports, the switch attempts to validate the client's mac address against a table held on the RADIUS server (in this case, ACS). Looking on the ACS server, I can see the successful authentication of the MAC address. Also, with Wireshark sniffing the traffic on the uplink from the edge switch, I can see the Radius "Access-Request" go out from the switch and the Radius "Access-Accept" come back from ACS. However, on the switch I get the message "DOT1X-5-FAIL: Authentication failed for client (AAAA.BBBB.CCCC) on Interface Gix/0/x AuditSessionID xxxxxxxxxx"
The client interfaces are configured like this (the same on the 3850s as the 3750s):
interface GigabitEthernetx/0/x switchport access vlan xx switchport mode access authentication control-direction in authentication event server dead action authorize vlan xx authentication event server alive action reinitialize authentication port-control auto authentication periodic authentication timer restart 30 authentication timer reauthenticate 14400 mab dot1x pae authenticator dot1x timeout tx-period 1 dot1x max-reauth-req 1 spanning-tree portfast spanning-tree bpduguard enable
I wonder if anyone can shed any light on what's going on here? (and why something that was working perfectly well on 3750s is suddenly not playing ball on 3850s?)
I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mabon an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
Ah, it wasn''t really clear to me if you actually wanted to use dot1x or not. If not then you are absolutely correct, auth order mab/auth prio mab will force the switch to start with, and only do mab authentication. I'm guessing there are some default settings that are different on the 3850 and the 3750, because the functionality should be the same.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :