Team,

I have a customer running in Closed Mode with order Dot1x --> MAB and Priority Dot1x --> MAB with host-mode “multi-auth” where Avaya phones are authenticating with MAB. The PCs connect in-line through the phone and are running Dot1x with Microsoft supplicant using EAP-TLS / machine certs to authenticate through ISE to the PKI server. There are some intermittent connectivity problems we are working through.

Question 1.

Customer is deploying dACL for authorization for both the phone and PCs (they just apply dACL to VLANs configured on the switch – so no VLAN swapping) . If a dACL is pushed down to a port and the IP Device Tracking database on the switch does not have the IP address of one or both of the phone/PC (to replace the source “any” in the dACL), does the dACL still get applied with “any” for the MAC address with an absent IP in the IPDT tracking db ?? Or does the switch drop all packets from that MAC address since we need the specific IP to replace the “any” before dACL gets applied ??  

Question 2.

The customer has DHCP snooping configured globally but it is not actually enabled on any VLANs. It looks like IPDT database is built by inspecting ARPs from endpoints and from DHCP snooping database. I see the customer has a bunch of IP addresses in the IPDT db but does not have DHCP snooping enabled and hence Dynamic ARP inspection is also not enabled. Just looking to confirm that in this case the switch is just looking at all ARP packets to build the IPDT table as it appears there is no dependency on Dynamic ARP inspection to populate the IPDT table.

Question 3.

The customer is running in Closed Mode and their switch ports are using “dot1x timeout tx-period” of 5 seconds in branch offices with no local ISE PSN server and 2 seconds in campuses with local ISE PSN servers. These timers seem way too short to me as best practice appears to be 10 seconds. I think they did this so that the Avaya phones only need to wait 6 seconds to get access to the network but this may not be giving the PC's supplicant time to train up with dot1x to the switch. Given some sporadic disconnect issues they are having, my inclination is to recommend that they use Low Impact mode with a Pre-Auth ACL to allow the Avaya phone to do what it needs to boostrap and then relax the “dot1x timeout tx-period” timer to 10 seconds. Long setup for the question. Looking for some feedback from anyone who sees a lot of dot1x implementations with this question. Does anyone have a rough percentage of customers who deploy in Low Impact mode versus Closed mode ??

Question 4.

I read the doc which talks about reversing the order to MAB --> Dot1x but keeping the priority at Dot1x --> MAB. Questions below are for when the order is reversed like this with MAB first.

Will the switch issue a EAP-Request message right after the PC fails MAB (case when PC is not in MAB db) ?? Or does it behave differently now by waiting for an EAP-Start message from the client ??

If the PC is in the MAB db and successfully authenticates with MAB, does the switch wait for an EAP-Start message from the PC to move it from MAB to Dot1x authentication ??  Or does the switch still proactively send an EAP-Request to the PC even if it successfully authenticated with MAB ??

I’m trying to get a sense for how changing the order but keeping the priority in this fashion impacts how/when the switch sends an EAP-Request message. I don’t like this MAB --> Dot1x order approach because all of the unnecessary MAB authentications/failures that occur before Dot1x authenticates the PC. However, I do see the value that it allows MAB devices access to the network right away and still allows you to stay in Closed Mode. I still like Low Impact Mode better as it does not subject ISE to all the unnecessary MAB authentications/failures from the PCs and the Pre-Auth ACL allows the MAB devices limited access to the wire to do what they need to do while Dot1x times out.

Question 5.

I see the new IBNS 2.0 configuration framework and the ability to allow MAB and Dot1x authentications to occur simultaneously. It seems like this would still cause a lot of unnecessary MAB authentications/failures from PCs much like the scenario in my Question 4 with MAB first in the order. I am trying to determine if the simultaneous authentication support with IBNS 2.0 provides any real benefit or not.

Question 6.

Back to an IP Device tracking question. The customer is using the following to avoid 0.0.0.0 Duplicate IP address messages on Windows clients but still sporadically see them.

ip device tracking probe auto-source override

ip device tracking probe delay 30

From my research the only sure fire way to avoid the Duplicate IP messages is to configure an SVI in every voice and data vlan and use the “ip device tracking probe use−svi” command. I’m looking for any suggestions on a better approach to their current config. I have seen that 10 seconds is the more common probe delay interval and not the 30 seconds that they have configured.

Any thoughts would be much appreciated.

Thanks.