Discussion:
802.1x and NAC on B5s
John Kaftan
2014-03-25 19:00:10 UTC
Permalink
Sorry for the double post for those of you who are on "The Hub". I haven't
gotten any replies so I am trying here as well.


First of all is anyone using wired 802.1x Authentication successfully with
NAC? My goal is to have 802.1x be my first auth choice and Mac auth second
and then use AD to push 802.1x settings to machines that are members of the
domain. All other machines would likely authenticate via Mac auth. I have
it set for user or computer authentication in the supplicant so when the
computer first connects it authenticates as a computer and then flips to
user auth when the user logs in. Then I can assign policy based on who the
user is rather than based on the computer with Mac auth.

I have this all working......sort of. The problem I have is that
periodically the computer flips into Mac auth after the user is logged in
and has their profile. This is seemingly random. So the user is going
along with their special profile and suddenly they get "Computer", which is
what they get with Mac auth, and then they cannot get to whatever they need
and they call me.

When I take a packet capture and trigger a reauth from NAC I see that the
switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per
client before NAC finally issues an Accept with the filterID. So far I
only have one capture during the moment when a client flips from 802.1x
auth to Mac auth. I see no associated RADIUS packet between NAC and the
switch when that happens. So I cannot see how this is happening unless the
switch is just changing that without talking to NAC. That should never
happen.

At this point I'm pretty discouraged with 802.1x. I am thinking I am
adding too much complexity to the process of a basic connection. If I roll
this out over the whole campus there is any number of things that can bite
me, the supplicant, the switch, NAC etc. Any time I upgrade anything I
will be super nervous.

So is anybody else using 802.1x on wired as the primary way your users
connect and, if so, are you able to get it stable? Also, does anyone have
any idea what is going on with my network?
--
John Kaftan
IT Infrastructure Manager
Utica College

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org
d***@fhsu.edu
2014-03-25 19:50:21 UTC
Permalink
John -

Is this affecting all computers connected to the switch, or just a few? I
don't think I'm going to be much help here, as I'm not using NAC yet
(still IAS 2003, but had NAC going in production for POC), and only have a
single B5 stack doing both dot1x+mac auth at the moment (the rest are
C5/C3). But, a few thoughts popped in my head as I read your description.

Is re-auth enabled on the port (default: disabled)? Are global session
timeouts configured (default: 0)? Are login settings timeouts
non-standard for particular ports? Any errors/discards on the particular
port? Really, shots in the dark here.

I've seen strange things with dot1x on occasion, but nothing that keeps me
from pursuing it further. For instance, we had one computer in a batch of
50 of identical hardware/images that was extremely slow to authenticate,
and frequently failed user auth. Update the NIC drivers, and it was fine
from then on out. Head scratcher that one.

BTW - are you doing MAC caching with NAC, or querying an external DB?

Derek Johnson | Data Communications Coordinator
FORT HAYS STATE UNIVERSITY
415 Lyman Dr. TH 101, Hays, KS 67601
(785) 628 - 5688 | ***@fhsu.edu





From: John Kaftan <***@utica.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 03/25/2014 02:00 PM
Subject: [enterasys] 802.1x and NAC on B5s



Sorry for the double post for those of you who are on "The Hub". I
haven't gotten any replies so I am trying here as well.


First of all is anyone using wired 802.1x Authentication successfully with
NAC? My goal is to have 802.1x be my first auth choice and Mac auth
second and then use AD to push 802.1x settings to machines that are
members of the domain. All other machines would likely authenticate via
Mac auth. I have it set for user or computer authentication in the
supplicant so when the computer first connects it authenticates as a
computer and then flips to user auth when the user logs in. Then I can
assign policy based on who the user is rather than based on the computer
with Mac auth.

I have this all working......sort of. The problem I have is that
periodically the computer flips into Mac auth after the user is logged in
and has their profile. This is seemingly random. So the user is going
along with their special profile and suddenly they get "Computer", which
is what they get with Mac auth, and then they cannot get to whatever they
need and they call me.

When I take a packet capture and trigger a reauth from NAC I see that the
switch and NAC are exchanging up to 11 Access-Requests\Challenges pair
per client before NAC finally issues an Accept with the filterID. So far
I only have one capture during the moment when a client flips from 802.1x
auth to Mac auth. I see no associated RADIUS packet between NAC and the
switch when that happens. So I cannot see how this is happening unless
the switch is just changing that without talking to NAC. That should
never happen.

At this point I'm pretty discouraged with 802.1x. I am thinking I am
adding too much complexity to the process of a basic connection. If I
roll this out over the whole campus there is any number of things that can
bite me, the supplicant, the switch, NAC etc. Any time I upgrade anything
I will be super nervous.

So is anybody else using 802.1x on wired as the primary way your users
connect and, if so, are you able to get it stable? Also, does anyone have
any idea what is going on with my network?
--
John Kaftan
IT Infrastructure Manager
Utica College

--To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@fhsu.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org
John Kaftan
2014-03-25 20:56:55 UTC
Permalink
I do have re-auth enabled and set for 36000, which is 10 hrs. Global
Session Timeout = 0. All Login Settings are standard. Not familuar with
Mac Caching. We have NAC configured as our RADIUS server and NAC queries
Active Directory for usernames and passwords for 802.1x User Auth and when
users authenticate via the captive portal.

I have all of the mac addresses we own in a End System group called UC
Owned Manual and I use that group to identify machines we own. Those
machines are exempt from registration and assessment.


John
Post by d***@fhsu.edu
John -
Is this affecting all computers connected to the switch, or just a few? I
don't think I'm going to be much help here, as I'm not using NAC yet (still
IAS 2003, but had NAC going in production for POC), and only have a single
B5 stack doing both dot1x+mac auth at the moment (the rest are C5/C3).
But, a few thoughts popped in my head as I read your description.
Is re-auth enabled on the port (default: disabled)? Are global session
timeouts configured (default: 0)? Are login settings timeouts non-standard
for particular ports? Any errors/discards on the particular port? Really,
shots in the dark here.
I've seen strange things with dot1x on occasion, but nothing that keeps me
from pursuing it further. For instance, we had one computer in a batch of
50 of identical hardware/images that was extremely slow to authenticate,
and frequently failed user auth. Update the NIC drivers, and it was fine
from then on out. Head scratcher that one.
BTW - are you doing MAC caching with NAC, or querying an external DB?
Derek Johnson | Data Communications Coordinator
FORT HAYS STATE UNIVERSITY
415 Lyman Dr. TH 101, Hays, KS 67601
Date: 03/25/2014 02:00 PM
Subject: [enterasys] 802.1x and NAC on B5s
------------------------------
Sorry for the double post for those of you who are on "The Hub". I
haven't gotten any replies so I am trying here as well.
First of all is anyone using wired 802.1x Authentication successfully with
NAC? My goal is to have 802.1x be my first auth choice and Mac auth second
and then use AD to push 802.1x settings to machines that are members of the
domain. All other machines would likely authenticate via Mac auth. I have
it set for user or computer authentication in the supplicant so when the
computer first connects it authenticates as a computer and then flips to
user auth when the user logs in. Then I can assign policy based on who the
user is rather than based on the computer with Mac auth.
I have this all working......sort of. The problem I have is that
periodically the computer flips into Mac auth after the user is logged in
and has their profile. This is seemingly random. So the user is going
along with their special profile and suddenly they get "Computer", which is
what they get with Mac auth, and then they cannot get to whatever they need
and they call me.
When I take a packet capture and trigger a reauth from NAC I see that the
switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per
client before NAC finally issues an Accept with the filterID. So far I
only have one capture during the moment when a client flips from 802.1x
auth to Mac auth. I see no associated RADIUS packet between NAC and the
switch when that happens. So I cannot see how this is happening unless the
switch is just changing that without talking to NAC. That should never
happen.
At this point I'm pretty discouraged with 802.1x. I am thinking I am
adding too much complexity to the process of a basic connection. If I roll
this out over the whole campus there is any number of things that can bite
me, the supplicant, the switch, NAC etc. Any time I upgrade anything I
will be super nervous.
So is anybody else using 802.1x on wired as the primary way your users
connect and, if so, are you able to get it stable? Also, does anyone have
any idea what is going on with my network?
--
John Kaftan
IT Infrastructure Manager
Utica College
--
John Kaftan
IT Infrastructure Manager
Utica College

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org
Loading...