Friday, November 23, 2018

802.1x/MAB Inaccessible Authentication Bypass not identifying a domain

I'm implementing 802.1x/MAB on our access ports throughout the organisation, and have so far come accross very few issues. However, I'm at a stage now that I'm preparing to apply inaccessible authentication bypass to our IT support ports, as well as other critical ports, but hitting a brick wall.

I've created a new vlan for falling back to if our authentication servers fail, and when hosts are attached to that vlan without any 802.1x config applied, they can access the rest of the network as normal - all network resources are available, user profiles are logged into etc. Also, when the standard dot1x config is applied to the ports, hosts are authenticated, and again all resources are available.

But when the inaccessible config is applied, the assigned access port authenticates with no problem, but when I simulate the authentication servers going down, the fallback vlan does not authenticate properly.

Port config is:

interface GigabitEthernet3/14 description dot1x-fail-test switchport access vlan 100 switchport mode access switchport block multicast authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator authentication event server dead action authorize vlan 150 authentication event server alive action reinitialize storm-control broadcast level 5.00 no cdp enable spanning-tree portfast end 

Output from "show auth sessions" for the non-authenticated host on vlan 150 is:

Interface MAC Address Method Domain Status Fg Session ID Gi3/14 feed.beef.cafe mab UNKNOWN Auth 0A986401 

On the first test, "radius-server deadtime" was set to one minute, and this caused a loop where the host would fail to authenticate on vlan 150, the radius server would be marked as up and the port would be assigned to vlan 100, the authentication would fail again and repeat. During this DHCP was failing. I adjusted the dead timer to five minutes and the loop stopped and DHCP was successful.

I've just removed the "authentication event server alive action reinitialize" command, and removed the vlan assignment from "authentication event server dead action authorize vlan 150" to "authentication event server dead action authorize", and now the same issue occurs but on vlan 100.

Has anyone come across this before, any advice?

(Using mab here as an example, because it's from our lab and we haven't configured a cert store. I've done the same test in our operational network with the same issue but with dot1x)

tldr:

  • 802.1x/MAB standard config works without issue
  • Both vlan 100 and vlan 150 have network access
  • Except when used in the Inaccessible Authentication Bypass config
  • When the authentication server is reachable, everything works as expected. When the server is unreachable, vlan 150 does not get authorised to the DATA domain.

Thanks for your time.



No comments:

Post a Comment