Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Web Authentication and MDA

Scenario: Cat3560 using 802.1x Multidomain Authentication (MDA) on the access ports. Which means Nortel Phones authenticating into the voice domain and cascaded PCs authenticating into the data domain on the same access port. MAC Authentication Bypass (MAB) takes care about 802.1x unaware hosts. RADIUS server is a MS IAS machine.

So far everything works perfectly. Now the customer wants to use Web Authentication as an additional fallback method.

Problem: The dot1x process doesn't get that far to offer Web Authentication in our setup, it seems to get stuck in MAB.

After a lot of testing I nailed the problem down to MDA. As soon as I change 'dot1x host-mode multi-domain' to 'dot1x host-mode single-host', Web Authentication starts to work.

Question: Does anybody know about restrictions regarding Web Auth and MDA?

Tested IOSes are 12.2(37)SE and 12.2(40)SE.

Below you'll see the outputs of 'sh dot1x int fa0/1 det', which represent the final port states:

Using MDA:

Dot1x Authenticator Client List

-------------------------------

Domain = UNKNOWN

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATING (FALLBACK)

Auth BEND SM State = IDLE

Port Status = UNAUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = MAB

Using Single-Host:

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0018.8bae.c4ab

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 0

ReAuthAction = Terminate

TimeToNextReauth = 0

Authentication Method = WebAuth

Authorized By = Authentication Server

Vlan Policy = N/A

Thanks for any help.

Toni

3 REPLIES
Cisco Employee

Re: Web Authentication and MDA

Web-Auth and MDA are not supported together.

New Member

Re: Web Authentication and MDA

Hi jafrazie

Thanks for your reply. Since you work with Cisco I assume this is an official statement.

Regarding the incompatibility of the two features: It would be nice if a) this restriction would be mentioned in the documentation somewhere and b) that IOS would deny the fallback command if MDA is already in use.

Toni

New Member

Re: Web Authentication and MDA

Hi All, what is the alternative? I'm having the same setup with only one ACS and the customer is asking for a fallback method

306
Views
0
Helpful
3
Replies
CreatePlease to create content