topic Re: (Vendor) MAC Address Check before 802.1x Authentification in Switches, Hubs, and Modems

(Vendor) MAC Address Check before 802.1x Authentification

Stephan G — Tue, 06 Oct 2009 06:05:13 GMT

Hello everyone,

is it possible to configure a list of MAC addresses (or even a regular expression for a whole vendor) for authentification on a port which also has RADIUS authentification ?

So if the MAC address auth passed it doesn't try the radius authentification ?

Problem is: I have IP phones and printers as well as many clients in one location. What i don't want to do is find out on which port every single ip phone or printer is located and disable the radius authentification on these ports.

What would be the best solution (if possible):
The switches have a list of the allowed mac addresses (or the regular expression) and if a client connects with that mac address it automatically gets VLAN1 if not it tries to authenticate and then gets access or not.

Backend RADIUS server is IAS from MS. Is there a possible solution to find for this problem ?

Greets
Stephan

Re: (Vendor) MAC Address Check before 802.1x Authentification

Pieter 't Hart — Wed, 07 Oct 2009 07:13:09 GMT

from "2900 ASG" (access and security guide):
Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>]
Specifies the maximum number of authenticated
MACs to allow on the port. (Default: 1)
Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.

So some switches can use mixed MAC Auth and 802.1x!
Look for the access and security guide for the model you use.

Re: (Vendor) MAC Address Check before 802.1x Authentification

Stephan G — Wed, 07 Oct 2009 10:49:11 GMT

Thanks for the answer.

But can you tell me what is best practice ? Separating Voice and Data is best practice afaik.

But i also can configure username/password on the telephones so i could achieve the authentication part with IAS. (and also the VLAN assignment)

In the end i want 3 VLANs. 1 for the employees.1 for the ip phones. 1 for the guest. (if this is best practice ;) )

Problem at the moment is i'm working with unauth-vid so that not authorized ip phones will end up in my guest VLAN.

Re: (Vendor) MAC Address Check before 802.1x Authentification

Stephan G — Mon, 19 Oct 2009 12:32:16 GMT

Ok i configured it like you said.

Problem is: although it can autenticate against the IAS it gets no ip or the incorrect vlan (unauth-vid).

config:
Running configuration:

; J4900A Configuration Editor; Created on release #H.10.74

hostname "HUB-35"
snmp-server contact "gas"
time timezone 120
interface 4
no lacp
exit
interface 5
no lacp
exit
ip default-gateway 172.20.20.101
sntp server 172.20.20.1
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 172.20.20.127 255.255.252.0
exit
vlan 99
name "unauth"
no ip address
tagged 1
exit
gvrp
aaa authentication port-access eap-radius authorized
radius-server key goh2hu9nowgfjiop$
radius-server host 172.20.20.1
aaa port-access authenticator 4
aaa port-access authenticator 4 unauth-vid 99
aaa port-access authenticator active
aaa port-access mac-based 4
spanning-tree
password manager

IAS Config:

3 RAS policies (in this order)
LAN Auth (against AD with domain computer/user)
Wired MD5 Auth (against AD with mac address)
WLAN Auth (against AD with domain computer/user)

So i thought when i attach an ip phones it goes:
Rule 1 denied
Rule 2 allowed -> default_vlan

I also can see in eventlog that the ip phone is authorized.

But when i look at the vlan it either
Port mode unknown vlan status
4 WEBMAC Learn Down

or it's in my unauth-vid and only can connect to the internet ;)

Why is the status down when it is authorized ?

Greets
Stephan

Re: (Vendor) MAC Address Check before 802.1x Authentification

Pieter 't Hart — Mon, 26 Oct 2009 08:41:32 GMT

I think you go wrong with the policies.
The policies must not "overlap".
eg policy-1 is for PAP and CHAP and policy-2 is for EAP.
The policy matching the request characteristics is applied, not all policies until "authorized".
So when rejected, no other policy is tried.

In the eventlog does it really say "authenticated" (username matches password) or "authorized" (access allowed)?

Pieter

Re: (Vendor) MAC Address Check before 802.1x Authentification

Stephan G — Mon, 26 Oct 2009 08:58:30 GMT

If i understand it right:

When one policy doesn't match the port is closed ? But that's a big problem when it comes to different clients.

A notebook authenticates itself with the domain user.

A ip phone authenticates with mac adress.

I can't generate a mac user for every notebook.

Policy 1 is PEAP
Policy 2 is CHAP

So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
I will have to work with certificates for the IP phones. But no experience with this here.

In eventlog it says:
Benutzer "" wurde Zugriff gewÃ¤hrt.

Which means that network access is allowed. Policy 1 isn't used because the IP phone doesn't deliver username/password.

Greets
Stephan

Re: (Vendor) MAC Address Check before 802.1x Authentification

Pieter 't Hart — Mon, 26 Oct 2009 10:00:19 GMT

>>>
Policy 1 is PEAP
Policy 2 is CHAP

So i thought when PEAP is rejected it tries CHAP. But it seems that it doesn't work that way.
<<<

If you enable PEAP and disable CHAP in policy-1
and disable PEAP and enable CHAP in policy-2.
Then it works as you want, but not in the way you describe it.

CHAP is not rejected in policy-1, but the request doesn't match the policy characteristics; so the policy is not applied and the next policy is checked for a match (of characteristics, not authentication/authorization).

If policy-2 does apply then the authentication/authorization is verified
and acces is granted or denied.