ACS and MAC address authentication on 3850 switches

Infrastructure_Networks · ‎05-07-2014

I've been using ACS to authenticate client mac addresses on 3750 and 3750x switches for some time (to ensure only known MACs gain access to the network) and everything has been working happily. However, I've just begun rolling out 3850 switches at the edge and I've hit a problem.

Using MAB and dot1x authentication configured on the access ports, the switch attempts to validate the client's mac address against a table held on the RADIUS server (in this case, ACS). Looking on the ACS server, I can see the successful authentication of the MAC address. Also, with Wireshark sniffing the traffic on the uplink from the edge switch, I can see the Radius "Access-Request" go out from the switch and the Radius "Access-Accept" come back from ACS. However, on the switch I get the message "DOT1X-5-FAIL: Authentication failed for client (AAAA.BBBB.CCCC) on Interface Gix/0/x AuditSessionID xxxxxxxxxx"

The client interfaces are configured like this (the same on the 3850s as the 3750s):

interface GigabitEthernetx/0/x
switchport access vlan xx
switchport mode access
authentication control-direction in
authentication event server dead action authorize vlan xx
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer restart 30
authentication timer reauthenticate 14400
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable

I wonder if anyone can shed any light on what's going on here? (and why something that was working perfectly well on 3750s is suddenly not playing ball on 3850s?)

nspasov · ‎05-07-2014

Can you post the output from the following command:

show authentication session interface x/x

jan.nielsen · ‎05-07-2014

Aren't you missing some commands?

authentication host-mode multi-domain
authentication open (depends on your scenario)
authentication order dot1x mab
authentication priority dot1x mab

Also the dot1x timeout tx-period 1 is a VERY short timer, you will get into problems with that, 5 is a better value in my experience.

Infrastructure_Networks · ‎05-08-2014

I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.

I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.

What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.

Appreciate your help.

jan.nielsen · ‎05-08-2014

Ah, it wasn''t really clear to me if you actually wanted to use dot1x or not. If not then you are absolutely correct, auth order mab/auth prio mab will force the switch to start with, and only do mab authentication. I'm guessing there are some default settings that are different on the 3850 and the 3750, because the functionality should be the same.

nspasov · ‎05-08-2014

Thanks for sharing the resolution and glad that you were able to solve the problem (+5 from me). Please mark the thread as closed.