Wired 802.1X + MAC authentication fails with ClearPass , the mac authentication of the phone and the dot1x authentication of the PC cannot be successful at the same time.
- 0 Followed
- 0Collected ,5709Browsed
Network Topology
Topo
Problem Description
ClearPass acts as the RADIUS server. Users perform 802.1X EAP authentication and phones perform MAC authentication.
When enable only MAC authentication, the phone performs MAC authentication and is placed in VLAN 21 (tagged) and works well.
When enable only dot1x authentication, the PC performs dot1x authentication (machine authentication) and is place in VLAN 1 (untagged) and works well.
When I enable dot1x and MAC authentication at the same time,sometimes the PC works well and the phone doesn"t,Sometimes the phone works well but the PC doesn"t.
Process Analysis
The phone in vlan 21 need do mac auth ,PC in vlan 1 should do dot1x auth.
interface GigabitEthernet1/0/4port link-type trunk
port trunk permit vlan 1 21
poe enable
dot1x
undo dot1x handshake
dot1x mandatory-domain dot1x-auth
undo dot1x multicast-trigger
dot1x unicast-trigger
mac-authentication
mac-authentication domain mac-auth
When enabled dot1x and MAC authentication at the
same time:
- Sometimes the PC works well and the phone doesn’t, ClearPass shows NAS-Error as the Termination Cause for the phone. In this situation in ClearPass can see the PC performing dot1x authentication.
- Sometimes the phone works well but the PC doesn"t, ClearPass shows Admin-Reset as the Termination Cause for the PC. In this situation in ClearPass PC performing dot1x and MAC authentication.
For phenomen 1,we can only see the phone mac auth stated changed,and .
Sep 5 12:16:03:319 2023 SW1-H3C-CPD MACA/7/EVENT: State changed from Authenticated to Disconnect: UserMAC=001a-e85b-2500, VLANID=21, Interface=GigabitEthernet1/0/4.*Sep 5 12:16:03:320 2023 SW1-H3C-CPD MACA/7/EVENT: Deleted server timeout timer: UserMAC=001a-e85b-2500, VLANID=21, Interface=GigabitEthernet1/0/4.
*Sep 5 12:16:03:320 2023 SW1-H3C-CPD MACA/7/EVENT: Deleted offline-detect timer: UserMAC=001a-e85b-2500, VLANID=21, Interface=GigabitEthernet1/0/4.
For phenomen 2,it seems the PC work in vlan 21 and in vlan 21 it will disconnect dot1x and enter into the mac auth process.
if the PC work in vlan 1 ,It seems the PC authentication will be stable.
*Sep 5 12:20:02:021 2023 SW1-H3C-CPD DOT1X/7/EVENT: Sent authorization request: UserMAC=901b-0eb8-34f9, VLANID=21, Interface=GigabitEthernet1/0/4.
*Sep 5 12:20:02:021 2023 SW1-H3C-CPD DOT1X/7/EVENT: AAA processed authorization request: Result= Success, UserMAC=901b-0eb8-34f9, VLANID=21, Interface=GigabitEthernet1/0/4.
*Sep 5 12:20:02:022 2023 SW1-H3C-CPD DOT1X/7/EVENT: Authorization VLAN ID is 1: UserMAC=901b-0eb8-34f9, VLANID=21, Interface=GigabitEthernet1/0/4.
*Sep 5 12:20:02:056 2023 SW1-H3C-CPD DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=901b-0eb8-34f9, VLANID=21, Interface=GigabitEthernet1/0/4.
*Sep 5 12:20:02:056 2023 SW1-H3C-CPD DOT1X/7/EVENT: Interface GigabitEthernet1/0/4 received Set the port authorization status to unauthorized event.
Solution
By default, when a port receives a packet with an unknown source MAC address that triggers authentication, it processes it in the order of completing 802.1X and then performing MAC address authentication.
Therefore, in phenomenon 1, the phone will perform dot1x authentication.When a port receives a packet with an unknown source MAC address, it will unicast an EAP-Request frame to the MAC address to trigger 802.1X authentication, but it will also perform MAC address authentication without waiting for the 802.1X authentication process to be completed.
The configuration commands are as follows:
[H3C-GigabitEthernet1/0/4] mac-authentication parallel-with-dot1x
For Phenomenon 2, the phone and PC are authenticated and authorized in different vlans. The mac vlan function needs to be enabled under the interface.When the authorized VLAN does not carry a tag, only ports with the MAC VLAN function enabled can authorize different VLANs to different users" MAC addresses. If the MAC VLAN function is not enabled, the VLAN authorized to all users must be the same, otherwise only the first authenticated user can successfully go online.
The configuration commands are as follows:
[H3C-GigabitEthernet1/0/4] mac-vlan enable