Lab Minutes Forum
Technical Discussion => Security => Topic started by: czekon26 on August 10, 2016, 06:48:46 AM
-
Hello,
During deployment of 802.1.x which is based on Brocade switches I encountered a problem.
When port is enabled for 802.1x i mac-authentication and we connect PC with secure dock to that port then connection to securedock i blocked and PC remains encrypted unless we provide the password manunally. When the port operates without any authentication securedock communication works fine and decrypts automatically. Pre_auth_acl is not helping in that case. On the other hand on cisco switch all works fine with the same acl.
Initial connection steps when checking by: sh dot1x session command:
1)
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port MAC IP User Vlan Auth ACL Age PAE
Addr Addr Name State State
------------------------------------------------------------------------------------------------------
1/1/12 d4cd.d977.f989 N/A N/A 4092 init none S45 CONNECT
2) Session moved to restricted vlan 300
sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port MAC IP User Vlan Auth ACL Age PAE
Addr Addr Name State State
------------------------------------------------------------------------------------------------------
1/1/12 d4cd.d977.f989 N/A N/A 300 init none Ena HELD
3) and then moved to port vlan with different mac address assigned to the session
SSH@ICX6430#sh dot1x sessions ethernet 1/1/12
------------------------------------------------------------------------------------------------------
Port MAC IP User Vlan Auth ACL Age PAE
Addr Addr Name State State
------------------------------------------------------------------------------------------------------
1/1/12 0180.c200.0003 N/A N/A 301 init none N/A CONNECT
For some reason MAB policy is telling that authentication is failed because the endpoint is not found in the identity store but it is not true. Endpoint is added correctly. looks like MAB is not being triggered correctly. Any Idea what can be wrong.
-
I am not familiar with Brocade switch but will give it a try. I assume you are trying MAB authentication and the switch supports it? If so, what's the Radius log looks like in the detail? Can you provide screenshot?
-
Hi,
Yes i'm trying mab auth becouse the PC i encrypted end OS is not even started yet. Yesterday i done some more tests and find out that when I change the radius attribute of Radius:Service-Type = Call Check to Radius:Service-Type = Framed and ad the internal endpoints to auth policy it then works fine and can find the user in local database by using mac address. Very starnge.
Summarizing:
In the policy auth section when we use to have spearate policy for mab and dot1x currently when I use only one policy when I configured Radius:Service-Type = Framed and internal endpoints + All AD Jointpoints it all works fine but Im not sure is this is allowed configuration.
Also in ISE 2.0 i can see that radius attributes for MAB ( CISCO and brocade are different) :
CISCO:
Radius:NAS-Port-Type = Ethernet
Radius:Service-Type = Call Check
Brocade:
Radius:NAS-Port-Type = Ethernet
Radius:Service-Type = Framed
Radius:User-Name = Radius:Calling-Station-ID
Looks like this my be the reason of my problem.
-
That's was what I suspected which was why I asked for the RADIUS log. Since MAB is not a standard, it is implemented differently among vendors. Evidently the attributes used by Brocade switch is not the same as Cisco hence caused the policy not to be matched. This is where the use for Network Device Profile comes in.
Thanks for sharing the detail and nice troubleshooting.