Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
1
Replies

dot1x MAB re-authentication vlan-id

i.va
Level 3
Level 3

‎01-21-2021 06:37 AM

I have APs in FlexConnect mode connected to catalyst 3850 v16.3.7 switches. Find the port configuration below. I want to authenticate the clients on AP trunk ports via MAB using the Cisco-AVPair "vlan-id" sent during REQUEST for our 3rd party RADIUS server to distinguish between VLANs on that port.

 

This is working as planned, until re-authentication happens. During re-authentication the switch does not send the vlan-id attribute anymore, causing it to fail and log a reject.

 

Taking a look at the mac address-table (output below), the switch creates a static entry during MAB on the native vlan, instead of the expected vlan that the mac was learned on. I suspect that this is causing re-authentication to omit the vlan-id.

 

As a workaround we have disabled re-authentication, but as a result have a large number of active sessions.

What I will test next is for our RADIUS server to assign the vlan () along with the initial ACCEPT.

 

Does anyone have any advice on how to handle this i.e. make the switch always send the vlan-id? Is the switch behaving as expected or is this a bug? Because of the current lockdowns I am not able to do extensive tests on site. 

 



switch#show mac address-table address aaaa.bbbb.cccc
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
9 aaaa.bbbb.cccc STATIC Gi2/0/37
105 aaaa.bbbb.cccc DYNAMIC Gi2/0/37
Total Mac Addresses for this criterion: 2

switch#show access-session mac aaaa.bbbb.cccc
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/37 aaaa.bbbb.cccc mab DATA Auth 0A010998001A3D0E0CE2A772

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

switch#
switch#show derived-config interface gi2/0/37
Building configuration...

Derived configuration : 505 bytes
!
interface GigabitEthernet2/0/37
description AP
switchport trunk native vlan 9
switchport trunk allowed vlan 9,103-105,114
switchport mode trunk
switchport nonegotiate
access-session control-direction in
access-session port-control auto
mab
no snmp trap link-status
storm-control broadcast level 10.00
storm-control action shutdown
storm-control action trap
no lldp transmit
no lldp receive
spanning-tree guard root
service-policy type control subscriber RADIUS-AUTH
end

switch#

 

Labels:
0 Helpful
1 Reply 1

MHM Cisco World
VIP
VIP

‎01-21-2021 07:11 AM

interest 

0 Helpful
Customers Also Viewed These Support Documents