John - Is this affecting all computers connected to the switch, or just a few? I don't think I'm going to be much help here, as I'm not using NAC yet (still IAS 2003, but had NAC going in production for POC), and only have a single B5 stack doing both dot1x+mac auth at the moment (the rest are C5/C3). But, a few thoughts popped in my head as I read your description.
Is re-auth enabled on the port (default: disabled)? Are global session timeouts configured (default: 0)? Are login settings timeouts non-standard for particular ports? Any errors/discards on the particular port? Really, shots in the dark here. I've seen strange things with dot1x on occasion, but nothing that keeps me from pursuing it further. For instance, we had one computer in a batch of 50 of identical hardware/images that was extremely slow to authenticate, and frequently failed user auth. Update the NIC drivers, and it was fine from then on out. Head scratcher that one. BTW - are you doing MAC caching with NAC, or querying an external DB? Derek Johnson | Data Communications Coordinator FORT HAYS STATE UNIVERSITY 415 Lyman Dr. TH 101, Hays, KS 67601 (785) 628 - 5688 | [email protected] From: John Kaftan <[email protected]> To: "Enterasys Customer Mailing List" <[email protected]> Date: 03/25/2014 02:00 PM Subject: [enterasys] 802.1x and NAC on B5s Sorry for the double post for those of you who are on "The Hub". I haven't gotten any replies so I am trying here as well. First of all is anyone using wired 802.1x Authentication successfully with NAC? My goal is to have 802.1x be my first auth choice and Mac auth second and then use AD to push 802.1x settings to machines that are members of the domain. All other machines would likely authenticate via Mac auth. I have it set for user or computer authentication in the supplicant so when the computer first connects it authenticates as a computer and then flips to user auth when the user logs in. Then I can assign policy based on who the user is rather than based on the computer with Mac auth. I have this all working......sort of. The problem I have is that periodically the computer flips into Mac auth after the user is logged in and has their profile. This is seemingly random. So the user is going along with their special profile and suddenly they get "Computer", which is what they get with Mac auth, and then they cannot get to whatever they need and they call me. When I take a packet capture and trigger a reauth from NAC I see that the switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per client before NAC finally issues an Accept with the filterID. So far I only have one capture during the moment when a client flips from 802.1x auth to Mac auth. I see no associated RADIUS packet between NAC and the switch when that happens. So I cannot see how this is happening unless the switch is just changing that without talking to NAC. That should never happen. At this point I'm pretty discouraged with 802.1x. I am thinking I am adding too much complexity to the process of a basic connection. If I roll this out over the whole campus there is any number of things that can bite me, the supplicant, the switch, NAC etc. Any time I upgrade anything I will be super nervous. So is anybody else using 802.1x on wired as the primary way your users connect and, if so, are you able to get it stable? Also, does anyone have any idea what is going on with my network? -- John Kaftan IT Infrastructure Manager Utica College --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
