Tuesday, March 6, 2018

Cisco - 802.1x/MAB allowing traffic before port is authenticated

Hey all. I've detected what seems to be a switch allowing traffic to pass before a port is authenticated.

From the Catalyst 3750-X and 3560-X Software Configuration Guide, Release 15.0(1)SE:

Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

So, here is my evidence....

We have some SCADA devices on our network, which we are authenticating with MAB with a one hour reauthentication timer. One of these systems have particular trouble with MAB - apparently they are configured to only communicate when polled by the server. Now, generally speaking, we're good once they pass MAB, as the server polls them periodically, which will permit them to reauthenticate. But, every now and then, for some reason or another, they will not communicate, and the switch 'loses' the MAC address, and cannot reauthenticate the device.

Now, our port configurations have the initial VLAN as our 'dead' VLAN. This means, that unless the device communicates, passes MAB, and receives a VLAN - it can't communicate with anything. Therefore, once the switch 'loses' the MAC address, because the client waits for polling, it is dead until a network administrator gets involved.

So.... we've found a way to make it work... "switchport access vlan 50". As soon as we input this command, the device almost immediately begins to communicate, and passes MAB. We can then issue "switchport access vlan 1000" (our dead VLAN) and the device reauthenticates just fine.

Since the VLAN information is not transmitted to either the client or the server, this leads me to believe that when moving the client into the VLAN it's supposed to go into, the server's polls are able to reach the client, thus "waking" it.

Any thoughts? Have any of you seen that 3750-X switches (we're currently running 15.0.2 SE9) pass traffic before a port is authenticated? I've tried (unsuccessfully) to get a packet capture of packets being sent to the device while the port is in a non-authenticated state. (This is relatively sporadic)



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)