Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

HOST PC Trying for MAB authentication instead of dot1x

 

Hi,

 

  Host PCs are trying to authenticate with MAB instead of dot1x. after two failed attempts in MAB, then a fallback happening to dot1x. 

Priority and order for authentication is dot1x then mab. 

 

So there is a huge failed attempts happening and lot authentication message to server make the CPU utilization high. Kindly throw some idea tp avoid MAB authentication for host PCs (dot1x supplicant )..

 

 

Thank you,

 

 

2 REPLIES
New Member

The config on the switch does

The config on the switch does not affect the actual PC. It tells the switch what order to attempt to authenticate with. Let's go back to basics, as it's always helpful:

If the switch is configured correctly with 802.1x (.1x for short), and you have correctly put in the command for dot1x mab, and all other configurations on the ports, etc. are correct, then the port will be "closed" except for LEAP/ EAPOL messages.

So, the PC will request access to the network. It will send an EAPOL msg with .1x request. The switch will forward the request msg in an EAPOL packet to the radius server, requesting access. The radius server will look up the request in SACS. If the device is entered correctly, and depending how the SACS is configured, it will poll AD for the correct .1x certificate. If it finds the correct .1x certificate, it will reply with an "you're ok" message. The switch will receive the message, and if ok, will allow normal traffic to flow across the port.

 

That's a down-and-dirty way to look at .1x.

The key is this: do ALL of your PC's have issues, or is it just one or two of them? If it's just one or two of them, then I'd suggest running the command show dot1x all [details | statistics | summary] You can also do it per port like show dot1x interface xxx. Great for troubleshooting, as well as the logs.

Again, though, if it's just one or two PC's, I'd make sure that the PC's are correctly configured for 802.1x authentication. I've seen that before. The PC was not configured for 802.1x, so the switch thought it was a MAB device, and immediately went to MAB. I'd bet your configuration allows for it to try it several times, then falls back to 802.1x.

Again, if it's one or two, but others are passing, then I'd say to focus on the PCs. Otherwise, confirm that your config on the PC's port is similar to others that are passing.

 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html#wp1252552

 

New Member

How is your authentication

How is your authentication policy looking? 

Do you have a condition for wired 802.1x? Ours looks like this:

 

 

We also have a condition for wired mab:

 

 

Then we have profiled all the devices, and only devices that actually do 802.1x are allowed the condition "802.1x" if they fail back to mab - they fail. same vice versa! 

So we have 2 different rules, with different profiled devices selected for each. I´m still testing it, but it seems to be working! 

you will find the conditions in the conditions/authorization/compound conditions. and they are actually a cisco default condition. 

 

155
Views
0
Helpful
2
Replies
CreatePlease to create content