Network Access Control

 View Only

  • 1.  Configuring a request policy for MAB on IAS (radius)

    Posted Jan 21, 2010 02:27 PM



    I have a cisco 3560 connected to a Radius server (IAS) . I am trying the configure a new request-access policy  in the IAS so that it accepts the Radius-request of username / password as some mac-address e.g 00-aa-bb-cc-dd-ee . But everytime a access-request is sent from the cisco to IAS , the access-request is rejected , saying "Reason = The connection attempt did not match any connection request policy. " 

    While creating the policy , I have tried checking the following options for Authentication :
    1.Unencrypted authentication (PAP,SPAP)
    2.Encrypted Authentication (CHAP)

    For policy-conditions :

    I have calling-station-id match "00-AA-BB-CC-DD-EE"
    and Windows groups matches , they are the groups of which the username I have created is a part of. 

    Is there any document which says what things I need to configure on Radius IAS , while making a new policy for MAB scenarios ?

    Thanks everyone !

    Following details are captured on the IAS :


    User 00aabbccddee was denied access.
     Fully-Qualified-User-Name = <undetermined>
     NAS-IP-Address = 10.11.131.105
     NAS-Identifier = <not present>
     Called-Station-Identifier = 00-1B-8F-72-83-83
     Calling-Station-Identifier = 00-AA-BB-CC-DD-EE
     Client-Friendly-Name = Taccisco
     Client-IP-Address = 10.11.131.105
     NAS-Port-Type = Ethernet
     NAS-Port = 50003
     Proxy-Policy-Name = <none>
     Authentication-Provider = <undetermined>
     Authentication-Server = <undetermined>
     Policy-Name = <undetermined>
     Authentication-Type = <undetermined>
     EAP-Type = <undetermined>
     Reason-Code = 49
     Reason = The connection attempt did not match any connection request policy.



    On the cisco box , I have turned the radius debugs on which show that following details are sent.
    "

    8w2d: RADIUS:  AAA Unsupported     [468] 24 
    8w2d: RADIUS:   30 41 30 42 38 33 36 39 30 30 30 30 30 30 34 30  [0A0B836900000040]
    8w2d: RADIUS:   32 44 46 45 45 39                                [2DFEE9]
    8w2d: RADIUS:  AAA Unsupported     [163] 18 
    8w2d: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
    8w2d: RADIUS(00000481): Storing nasport 50003 in rad_db
    8w2d: RADIUS(00000481): Config NAS IP: 0.0.0.0
    8w2d: RADIUS/ENCODE(00000481): acct_session_id: 1153
    8w2d: RADIUS(00000481): sending
    8w2d: RADIUS/ENCODE: Best Local IP-Address 10.11.131.105 for Radius-Server 10.11.197.169
    8w2d: RADIUS(00000481): Send Access-Request to 10.11.197.169:1645 id 1645/128, len 138
    8w2d: RADIUS:  authenticator 37 D0 5A 61 0D 31 CE 31 - CD 22 46 BE E6 C6 E5 DC
    8w2d: RADIUS:  User-Name           [1]   14  "00aabbccddee"
    8w2d: RADIUS:  User-Password       [2]   18  *
    8w2d: RADIUS:  Service-Type        [6]   6   Call Check                [10]
    8w2d: RADIUS:  Framed-MTU          [12]  6   1500                     
    8w2d: RADIUS:  Called-Station-Id   [30]  19  "00-1B-8F-72-83-83"
    8w2d: RADIUS:  Calling-Station-Id  [31]  19  "00-AA-BB-CC-DD-EE"
    8w2d: RADIUS:  Message-Authenticato[80]  18 
    8w2d: RADIUS:   2E 80 58 F1 FC 9E ED 92 96 F2 57 FE C5 4C 3D D3  [.?X???????W??L=?]
    8w2d: RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
    8w2d: RADIUS:  NAS-Port            [5]   6   50003                    
    8w2d: RADIUS:  NAS-IP-Address      [4]   6   10.11.131.105            
    8w2d: RADIUS: Received from id 1645/128 10.11.197.169:1645, Access-Reject, len 20
    8w2d: RADIUS:  authenticator 4D 93 6E D9 8F 47 ED 46 - 28 B2 AD DD 23 04 E0 2D
    8w2d: RADIUS(00000481): Received from id 1645/128
    8w2d: RADIUS:  AAA Unsupported     [468] 24 
    8w2d: RADIUS:   30 41 30 42 38 33 36 39 30 30 30 30 30 30 34 30  [0A0B836900000040]
    8w2d: RADIUS:   32 44 46 45 45 39                                [2DFEE9]
    8w2d: RADIUS:  AAA Unsupported     [163] 18 
    8w2d: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
    8w2d: RADIUS(00000482): Storing nasport 50003 in rad_db
    8w2d: RADIUS(00000482): Config NAS IP: 0.0.0.0
    8w2d: RADIUS/ENCODE(00000482): acct_session_id: 1154
    8w2d: RADIUS(00000482): sending
    8w2d: RADIUS/ENCODE: Best Local IP-Address 10.11.131.105 for Radius-Server 10.11.197.169 "




     


  • 2.  RE: Configuring a request policy for MAB on IAS (radius)

    Posted Jan 29, 2010 01:30 PM
    This article may be what you are looking for.

    SNAC 802.1x Mac Authentication Bypass (MAB) with a Cisco Switch and IAS -


    https://www-secure.symantec.com/connect/articles/snac-8021x-mac-authentication-bypass-mab-cisco-switch-and-ias

    And a couple more that may help.

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f28b620ec0b8d9a980257362005d23fb?OpenDocument

    http://technet.microsoft.com/en-us/library/cc758846(WS.10).aspx

    Best,
    Thomas


  • 3.  RE: Configuring a request policy for MAB on IAS (radius)

    Posted Apr 12, 2010 01:42 PM

    Thank you Thomas !!   Currently I am able to get the port authenticated but for some reason the port is not becoming the part of the vlan attribute I have sent along with the radius access-accept packet

    Below are the details  
    ********************************************************************************************* 
    what is happening:
     ********************************************************************************************* 
    With MAB enabled on the interface, when a packet from authenticated mac (00:aa:bb:cc:dd:ee,  in this case) is sent to the port the switch (acting as authenticator ) makes a radius access-request and sends it to radius. radius in turn sends radius access-accept packet having Vlan attribute as well. After getting the access-accept the port is brought up.
    *********************************************************************************************  
    what is not happening:
     ********************************************************************************************* 
    The port doesnt become the part of the vlan attribute sent by the Radius. When same radius access-accept is received on a competetive switch the port becomes part of the vlan attribute sent by the radius.
     
    ********************************************************************************************* 
    Things I have tried apart from the one mentioned in the console output below:
    ********************************************************************************************* 
    By sending vlan name "VLAN0400" in the vlan attribute 81 field instead of vlan id , but the port still doesnt become the part of the vlan 400.
     
    ********************************************************************************************* 
    Question:
    *********************************************************************************************  
    Why is the dynamic vlan assignment not working. (in this case the vlan-id is provided by the radius).  Only when I have following config on the port , and the port is mab authenticated the port becomes part of vlan 400. In that case the vlan id sent by radius in access-accept packet is rendered useless.
     
    cs3560-a2-1(config-if)#switchport access vlan 400

    *********************************************************************************************  

    Console output:
     
     
     
    cs3560-a2-1(config)#do show run int g 0/3
    Building configuration...
    Current configuration : 161 bytes
    !
    interface GigabitEthernet0/3
     switchport mode access
     dot1x mac-auth-bypass
     dot1x pae authenticator
     dot1x port-control auto
     dot1x timeout tx-period 10
    end
     
    cs3560-a2-1(config)#  <<<<<<<< here  a packet with mac sa 00:aa:bb:cc:dd:ee was sent on the interface gig 0/3
    7w4d: dot1x-ev:dot1x_switch_pm_port_unauth_learning: On GigabitEthernet0/3, unauth learning set to FALSE for domain DATA
    7w4d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/3
    7w4d: dot1x-ev:Host access is 1 on port GigabitEthernet0/3
    7w4d: dot1x-ev:Succeeded in setting host access to deny on GigabitEthernet0/3
    7w4d: dot1x-ev:dot1x_switch_mac_address_notify: MAC 00aa.bbcc.ddee discovered on GigabitEthernet0/3(1) consumed by MAB
    7w4d:     dot1x_auth_mab : during state mab_acquiring, got event 5(mabAvailable)
    7w4d: @@@ dot1x_auth_mab : mab_acquiring -> mab_authorizing
    7w4d: dot1x-ev:Couldn't find a supplicant with mac 00aa.bbcc.ddee
    7w4d: dot1x-err:dot1x_auth_peer_ip_get: Invalid client
    7w4d: RADIUS:  AAA Unsupported     [468] 24 
    7w4d: RADIUS:   30 41 30 42 38 33 36 39 30 30 30 30 30 30 32 37  [0A0B836900000027]
    7w4d: RADIUS:   31 34 35 46 43 32                                [145FC2]
    7w4d: RADIUS:  AAA Unsupported     [163] 18 
    7w4d: RADIUS:   47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30  [GigabitEthernet0]
    7w4d: RADIUS(00000015): Storing nasport 50003 in rad_db
    7w4d: RADIUS(00000015): Config NAS IP: 0.0.0.0
    7w4d: RADIUS/ENCODE(00000015): acct_session_id: 21
    7w4d: RADIUS(00000015): sending
    7w4d: RADIUS/ENCODE: Best Local IP-Address 10.11.131.105 for Radius-Server 10.11.197.49
    7w4d: RADIUS(00000015): Send Access-Request to 10.11.197.49:1812 id 1645/31, len 138
    7w4d: RADIUS:  authenticator B9 41 46 E9 87 98 CA 9B - B3 5A F3 0D 91 EE 93 A0
    7w4d: RADIUS:  User-Name           [1]   14  "00aabbccddee"
    7w4d: RADIUS:  User-Password       [2]   18  *
    7w4d: RADIUS:  Service-Type        [6]   6   Call Check                [10]
    7w4d: RADIUS:  Framed-MTU          [12]  6   1500                     
    7w4d: RADIUS:  Called-Station-Id   [30]  19  "00-1B-8F-72-83-83"
    7w4d: RADIUS:  Calling-Station-Id  [31]  19  "00-AA-BB-CC-DD-EE"
    7w4d: RADIUS:  Message-Authenticato[80]  18 
    7w4d: RADIUS:   AE C3 3A 72 69 EC 14 72 BE 49 CF 6A B8 CA 59 E1  [??:ri??r?I?j??Y?]
    7w4d: RADIUS:  NAS-Port-Type       [61]  6   Eth                       [15]
    7w4d: RADIUS:  NAS-Port            [5]   6   50003                    
    7w4d: RADIUS:  NAS-IP-Address      [4]   6   10.11.131.105            
    7w4d: RADIUS: Received from id 1645/31 10.11.197.49:1812, Access-Accept, len 37
    7w4d: RADIUS:  authenticator 30 9F EF 45 B9 86 84 F5 - C6 A8 79 EE F2 82 9E 0A
    7w4d: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]
    7w4d: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]
    7w4d: RADIUS:  Tunnel-Private-Group[81]  5   "400"
    7w4d: RADIUS(00000015): Received from id 1645/31
    7w4d:     dot1x_auth_mab : during state mab_authorizing, got event 3(mabResult)
    7w4d: @@@ dot1x_auth_mab : mab_authorizing -> mab_terminate
    7w4d: dot1x-sm:Posting AUTH_SUCCESS on Client=3899C8C
    7w4d:     dot1x_auth Gi0/3: during state auth_fallback, got event 13(authSuccess_portValid)
    7w4d: @@@ dot1x_auth Gi0/3: auth_fallback -> auth_authc_result
    7w4d: dot1x-sm:Gi0/3:00aa.bbcc.ddee:auth_authc_result_enter called
    7w4d: dot1x-ev:dot1x_vlan_assign_authc_success called on interface GigabitEthernet0/3
    7w4d: dot1x-ev:dot1x_vlan_assign_authc_success: Successfully assigned VLAN 0 to interface GigabitEthernet0/3
    7w4d: dot1x-sm:Posting AUTHC_SUCCESS on Client=3899C8C
    7w4d:     dot1x_auth Gi0/3: during state auth_authc_result, got event 23(authcSuccess)
    7w4d: @@@ dot1x_auth Gi0/3: auth_authc_result -> auth_authz_success
    7w4d: dot1x-sm:Gi0/3:00aa.bbcc.ddee:auth_authz_success_enter called
    7w4d: dot1x-ev:dot1x_switch_supplicant_add: Adding 00aa.bbcc.ddee on GigabitEthernet0/3 in vlan 1, domain is DATA
    7w4d: dot1x-ev:dot1x_switch_addr_add: Added MAC 00aa.bbcc.ddee to vlan 1 on interface GigabitEthernet0/3
    7w4d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/3
    7w4d: dot1x-registry:** dot1x_switch_vp_statechange:
    7w4d: dot1x-ev:ignored vlan 1 vp is added on interface GigabitEthernet0/3
    7w4d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/3
    7w4d: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/3
    7w4d: dot1x-ev:Received successful Authz complete for 00aa.bbcc.ddee
    7w4d: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3899C8C
    7w4d:     dot1x_auth Gi0/3: during state auth_authz_success, got event 26(authzSuccess)
    7w4d: @@@ dot1x_auth Gi0/3: auth_authz_success -> auth_authenticated
    7w4d: dot1x-sm:Gi0/3:00aa.bbcc.ddee:auth_authenticated_enter called
    7w4d: dot1x-ev:Nothing to send to the client 00aa.bbcc.ddee
    7w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
    cs3560-a2-1(config)#
    cs3560-a2-1(config)#
    cs3560-a2-1(config)#do show vlan
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Gi0/3, Gi0/7, Gi0/8, Gi0/9
                                                    Gi0/10, Gi0/11, Gi0/12, Gi0/13
                                                    Gi0/14, Gi0/15, Gi0/16, Gi0/17
                                                    Gi0/18, Gi0/20, Gi0/21, Gi0/22
                                                    Gi0/23, Gi0/24, Gi0/25, Gi0/26
                                                    Gi0/27, Gi0/28
    2    operational                      active   
    3    VLAN0003                         active    Gi0/6, Po3
    4    VLAN0004                         active   
    7    VLAN0007                         active   
    10   VLAN0010                         active   
    11   VLAN0011                         active   
    22   VLAN0022                         active   
    33   VLAN0033                         active   
    63   VLAN0063                         active   
    87   VLAN0087                         active   
    88   VLAN0088                         active   
    90   VLAN0090                         active   
    99   VLAN0099                         active   
    100  VLAN0100                         active   
             
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    101  VLAN0101                         active   
    102  VLAN0102                         active   
    103  VLAN0103                         active   
    107  VLAN0107                         active   
    121  VLAN0121                         active    Gi0/1
    200  VLAN0200                         active   
    400  VLAN0400                         active   
    500  VLAN0500                         active   
    510  VLAN0510                         active   
    cs3560-a2-1(config)#do show dot1x int g 0/3 de
    Dot1x Info for GigabitEthernet0/3
    -----------------------------------
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    ReAuthentication          = Disabled
    QuietPeriod               = 60
    ServerTimeout             = 30
    SuppTimeout               = 30
    ReAuthPeriod              = 3600 (Locally configured)
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 10
    RateLimitPeriod           = 0
    Mac-Auth-Bypass           = Enabled
        Inactivity Timeout    = None
    Dot1x Authenticator Client List
    -------------------------------
    Domain                    = DATA
    Supplicant                = 00aa.bbcc.ddee
             
        Auth SM State         = AUTHENTICATED
        Auth BEND SM State    = IDLE
    Port Status               = AUTHORIZED
    Authentication Method     = MAB
    Authorized By             = Authentication Server
    Vlan Policy               = N/A
    cs3560-a2-1(config)#
    cs3560-a2-1(config)#do show int g 0/3
    GigabitEthernet0/3 is up, line protocol is up (connected)
      Hardware is Gigabit Ethernet, address is 001b.8f72.8383 (bia 001b.8f72.8383)
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
      input flow-control is off, output flow-control is unsupported
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 1d16h, output 00:00:01, output hang never
      Last clearing of "show interface" counters 3d16h
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         15778064 packets input, 2445579900 bytes, 0 no buffer
         Received 0 broadcasts (15777844 multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 15777844 multicast, 0 pause input
         0 input packets with dribble condition detected
         28987 packets output, 2230150 bytes, 0 underruns
         0 output errors, 0 collisions, 28 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    cs3560-a2-1(config)#do show ver
    Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3)
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Fri 24-Aug-07 01:43 by myl
    Image text-base: 0x00003000, data-base: 0x01800000
    ROM: Bootstrap program is C3560 boot loader
    BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWARE (fc1)
    cs3560-a2-1 uptime is 7 weeks, 4 days, 16 hours, 3 minutes
    System returned to ROM by power-on
    System image file is "flash:/c3560-advipservicesk9-mz.122-40.SE.bin"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
             
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    export@cisco.com.
    cisco WS-C3560G-24TS (PowerPC405) processor (revision D0) with 122880K/8184K bytes of memory.
    Processor board ID FOC1101Z9QE
    Last reset from power-on
    6 Virtual Ethernet interfaces
    28 Gigabit Ethernet interfaces
    The password-recovery mechanism is enabled.
    512K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address       : 00:1B:8F:72:83:80
    Motherboard assembly number     : 73-10215-04
    Power supply part number        : 341-0098-02
    Motherboard serial number       : FOC111114Z6
    Power supply serial number      : AZS110712U4
    Model revision number           : D0
    Motherboard revision number     : B0
    Model number                    : WS-C3560G-24TS-S
    System serial number            : FOC1101Z9QE
    Top Assembly Part Number        : 800-26851-01
    Top Assembly Revision Number    : B0
    Version ID                      : V02
    CLEI Code Number                : CNMW200ARB
    Hardware Board Revision Number  : 0x09
    Switch   Ports  Model              SW Version              SW Image           
    ------   -----  -----              ----------              ----------         
    *    1   28     WS-C3560G-24TS     12.2(40)SE              C3560-ADVIPSERVICESK
    Configuration register is 0xF


  • 4.  RE: Configuring a request policy for MAB on IAS (radius)

    Posted Sep 23, 2010 03:59 PM

    Thanks for the link Cycletech (Thomas)! My two hours of search are probably over LOL

    --------------------------*----------------------------*--------------------------------

    Conso @ realizzazione siti web | promozione siti web