Hello everyone. This is my first post so hopefully I will pose the question properly. Currently we have a 3550 running 12.1(20)EA1 and a Cisco Secure ACS 3.2(3) on a Windows 2000 server. I have configured 802.1x authentication using EAP-TLS with certificates and have successfully tested this with Windows computers. I have the switch using Radius (Cisco IOS/PIX) for server type in the ACS.
My boss asked me to configure MAC address security as well on the switch. This is where I am running into problems. On the port with dot1x enabled I first configured switchport port-security. By using the show commands I see that dot1x shows the port as being authenticated, port-security on the interface shows the port being secure-up, and the ACS passed authentications log sees the user as being authenticated. When I unplug the network cable from this port and plug it back in the same is true.
Now when I add the switchport...mac-address sticky command on the previously mentioned interface I see the mac-address of the appropriate machine listed for the correct interface of the running config. Using the show commands I see that dot1x shows the port as being authenticated and port-security on the interface shows the port being secure-up. If I then unplug the network cable from this interface and plug it back in, the light for the port of the switch stays orange. Upon looking at the show commands I see that dot1x continuously reads authenticating (never reads authenticated), port-security reads secure-down, and the ACS passed authentications log has about 50 passed attempts for the user (After 15-30 seconds, 50 more passed authentications appear for the user.)
I looked at the Radius log in the CSRadius folder of ACS and I see that the machine is talking to the ACS but is constantly hit with challenge requests. Now when I go back into the switch and run the no switchport... mac-address sticky command but leave port-security on the port, the port becomes authenticated through dot1x and also becomes secure-up. On the reverse side, if I leave the switchport... mac-address sticky command and remove the dot1x authentication on the port, the port immediately becomes secure-up.
I think I may need to add certain radius attributes for the user, or change the server type for the 3550 to Radius (IETF) in ACS. I have tried a bunch of options in the ACS, and have statcally added the MAC of the computer on the port and the same thing happens. Any information that would help would be greatly appreciated.
This sounds like a bug, so you may need a TAC case, or an upgrade.
However, systemically, if you're running 802.1X, you may not need MAC security. 802.1X doesn't care how you authenticate, and it doesn't authenticate MAC addresses which can be easilty spoofed.
Optionally, you might can create an extra check on your AAA server to check the certificate AND the MAC address of a device that needs to 802.1X authenticate. This would create an "802.1X works from the correct MAC Address" type of topology if you need it.
But if you're running 802.1X, you do not need to run port-security in most cases.
Thanks for the help. I agree with what you are saying, but my boss seems to think that he wants it done. Could you explain a little more how you might "create an extra check on your AAA server to check the certificate AND the MAC address of a device that needs to 802.1X authenticate."
I also plan to upgrade both the server and ACS as soon as possible. Thanks again.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...