Sorry for the extremely delayed response on this.
I'm still not sure what the issue was but after no progress with debugs and the like I'd decided to MAB the AP's until I could resolve the 802.1x issue. Once the MAC addresses were added to the endpoint DB, 802.1x started functioning properly on all AP's. MAB is second in both order and priority and these endpoints never even attempt MAB (been sending debugs to server for one week now) so I'm still not sure why this behavior exists. I have some other bug-related testing to do on new switch code (2960S) so I'll circle back to this when that is complete but I just wanted to update the group with this strange behavior. Kind Regards, Kevin Sheahan CCIE # 41349 (Security) From: Bastien Migette [mailto:bastien.mige...@gmail.com] Sent: Monday, December 16, 2013 9:43 AM To: Bruno Silva Cc: Kevin Sheahan; ccie_security@onlinestudylist.com Subject: Re: [OSL | CCIE_Security] 802.1x AP Authentication There is another thing to mention, ISE will always sends an access-reject after successful PAC Provisioning (so the NAD will not grant network access right after PAC Provisionning), so the switch will therefore enter auth fail state. It might take a while for reauth to happen. Example after setting an AP to FlexConnect in my lab: Dec 16 15:39:16.164: %AUTHMGR-5-START: Starting 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C bast_3560# bast_3560# Dec 16 15:39:30.878: %DOT1X-5-FAIL: Authentication failed for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C Dec 16 15:39:30.878: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C bast_3560# Dec 16 15:39:30.878: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C ==60Sec default reauth timer Dec 16 15:40:31.083: %AUTHMGR-5-START: Starting 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %DOT1X-5-SUCCESS: Authentication successful for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 7c69.f6bc.5e05| AuditSessionID 0A96331D000007DA1644D6EC| AUTHTYPE DOT1X| EVENT APPLY Dec 16 15:40:31.511: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC 2013/12/16 Bruno Silva <auranpr...@gmail.com <mailto:auranpr...@gmail.com> > Had the same problem with a Lab environment at home. What`s the model of the AP and the WLC? In my case it meant that the AP could not run 802.1x because of the model of network board installed on it. For some reason it was not ready and the firmware version 12.x could not upgrade its firmware so after debugging and trying to fix it I just gave up because cisco told me was impossible. So I changed the model of the AP. BR, Bruno Silva. 2013/12/15 Bastien Migette <bastien.mige...@gmail.com <mailto:bastien.mige...@gmail.com> > Hi Kevin, No matter of flex or local, dot1x is always performed by the AP. The only thing you need to do for flex is normally to send device-traffic-class=switch to put the port in trunk mode if you have vlan mappings, but AFAIK nothing particular for the authentication... I would check debug eap xxx on the AP and see why it sends an alert. 2013/12/13 Kevin Sheahan <sheaha...@gmail.com <mailto:sheaha...@gmail.com> > Gents, The scenario: Cisco AP in Flex Connect Local-Switching and authenticating 802.1x against ISE without incident. No special considerations necessary, EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless deployment changes to local-mode, 802.1x authentication for the AP breaks. Same EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: 12154 EAP-FAST failed SSL/TLS handshake after a client alert. Open SSL Errors include: SSL alert: code=0x20A=522 ; source=remote ; type=fatal ; message="unexpected_message" and 47010861041984:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL alert number 10. My question: I'm unable to find any Cisco documentation that dictates any special considerations that must be made between wireless deployment modes. Why does this work in Flex Connect Local-Switching but not in Local Mode? My current train of thought (feel free to derail if I'm off base): As you know, in Local Mode all traffic is tunneled back to the controller (CAPWAP). All of what ISE reports is showing the switch as the NAD, and that is what I expect to see. However, after the EAP-FAST tunnel is built, the communications seem to fail and therefore EAP-TLS inner method fails. I'm wondering if the AP is sending the EAP-TLS session through the CAPWAP tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I am just chasing my tail? Kind Regards, Kevin Sheahan CCIE # 41349 (Security) _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc <http://www.youtube.com/ipexpertinc> _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc <http://www.youtube.com/ipexpertinc> -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
