Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

ACS and MAC address authentication on 3850 switches

I've been using ACS to authenticate client mac addresses on 3750 and 3750x switches for some time (to ensure only known MACs gain access to the network) and everything has been working happily. However, I've just begun rolling out 3850 switches at the edge and I've hit a problem.

 

Using MAB and dot1x authentication configured on the access ports, the switch attempts to validate the client's mac address against a table held on the RADIUS server (in this case, ACS). Looking on the ACS server, I can see the successful authentication of the MAC address. Also, with Wireshark sniffing the traffic on the uplink from the edge switch, I can see the Radius "Access-Request" go out from the switch and the Radius "Access-Accept" come back from ACS. However, on the switch I get the message "DOT1X-5-FAIL: Authentication failed for client (AAAA.BBBB.CCCC) on Interface Gix/0/x AuditSessionID xxxxxxxxxx"

 

The client interfaces are configured like this (the same on the 3850s as the 3750s):

interface GigabitEthernetx/0/x
 switchport access vlan xx
 switchport mode access
 authentication control-direction in
 authentication event server dead action authorize vlan xx
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer restart 30
 authentication timer reauthenticate 14400
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 1
 dot1x max-reauth-req 1
 spanning-tree portfast
 spanning-tree bpduguard enable

 

I wonder if anyone can shed any light on what's going on here? (and why something that was working perfectly well on 3750s is suddenly not playing ball on 3850s?)

5 REPLIES
Cisco Employee

Can you post the output from

Can you post the output from the following command:

show authentication session interface x/x

Aren't you missing some

Aren't you missing some commands?

 

authentication host-mode multi-domain
 authentication open (depends on your scenario)
 authentication order dot1x mab
 authentication priority dot1x mab
 

Also the dot1x timeout tx-period 1 is a VERY short timer, you will get into problems with that, 5 is a better value in my experience.

I seem to have figured my way

I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.

 

I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.

 

What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.

 

Appreciate your help.

Ah, it wasn''t really clear

Ah, it wasn''t really clear to me if you actually wanted to use dot1x or not. If not then you are absolutely correct, auth order mab/auth prio mab will force the switch to start with, and only do mab authentication. I'm guessing there are some default settings that are different on the 3850 and the 3750, because the functionality should be the same.

Cisco Employee

Thanks for sharing the

Thanks for sharing the resolution and glad that you were able to solve the problem (+5 from me). Please mark the thread as closed. 

374
Views
5
Helpful
5
Replies
CreatePlease to create content