802.1x with Microsoft IAS with Printers (Non-supplicant)

[TYT]

Hi,

I have configured an Alcatel 9700 for 802.1x that authenticates to a MS IAS Server running Win2k3 Svr.

I had no problem authenticating via PEAP MS-CHAP V2 for AD users.

However, I always encountered the IAS error event 16 Event 2 Reason-Code 16.

Say I have a non-802.1x printer, on my AD, I have created an account with the username and password for the domain as the MAC address i.e. 00000e123456

I have enabled port mobillity to swing the default vlan 1 to a desired vlan via the IAS policy settings. The same settings are being used for my 1st IAS policy used for user. This is a 2nd 802.1x-MAC IAS policy.

In fact I have included the calling station ID for that printer MAC address.

On the switch, I have preconfigured the statement

802.1x 1/1 non-supplicant policy authentication pass default-vlan fail block

Hope someone can enlighten me.

When I disabled IAS authentication, the switch shows authenticated. Else authentication failed.

[benny]

The switch will send the MAC-ADDRESS as string in capital letters, without delimiters and the same for username and password.

Changing 00000e123456 to 00000E123456 (username) and 00000E123456 (password) should solve your issue.

-benny

[cedric1]

Hello

And be sure to activate PAP in IAS for user authentication as Mac auth is done in PAP mode

Cedric

[TYT]

Benny: O, so you meant I will need to create the username and password on the AD using capitals letters No wonder...I read to use small letters ...Will remove the account again..and recreate...to try

Also, is there any additional policy I need to add in the IAS policy? Is the calling-station-ID attribute essential? If yes, I assume all in capitals letters as well right? MAC of the printer similar to AD?

Is the Service-Type Attribute essential? Currently I have set it to Framed. As for Framed Protocol, I have set it to PPP.

1 more Q though. When I specify the Vendor-Specific attribute, the vendor code is 800. The vendor assigned attribute no is 1. May I know what does the Attribute value represent and what to give?

Cedric1: Thanks. I have set to PAP already

[benny]

1.) You don't need any VSA for this (If you want to return a VLAN ID you can use the IEEE standard attributes)
2.) You don't need any specific policies and you can disregard the calling-station-ID, unless the routing of the request in your radius server would need to be processed somehow based on those values (I don't know your configuration ..)
3.) The service-type will automatically be set by the switch. For supplicant authentication it is "framed-user" while for non-supplicant authentication the value is "call check"
4.) As you don't want to return VSA, you won't need to deal with the vendor code

-benny

[TYT]

Hi Benny, supposed if I want to return a vlan ID, do i need to edit anything under the Alcatelvendor.ini because when I choose default IETF, it doesnt seem to work under Cisco ACS.

[User Defined Vendor]

Name=Alcatel
IETF Code=800
VSA 1=Alcatel-Auth-Group
VSA 2=Alcatel-Slot-Port
VSA 3=Alcatel-Time-of-Day
VSA 4=Alcatel-Client-IP-Addr
VSA 5=Alcatel-Group-Desc
VSA 6=Alcatel-Port-Desc
VSA 8=Alcatel-Auth-Group-Protocol
VSA 9=Alcatel-Asa-Access
VSA 10=Alcatel-End-User-Profile
VSA 39=Alcatel-Acce-Priv-F-R1
VSA 40=Alcatel-Acce-Priv-F-R2
VSA 41=Alcatel-Acce-Priv-F-W1
VSA 42=Alcatel-Acce-Priv-F-W2

[Alcatel-Auth-Group]

Type=INTEGER
Profile=OUT

[Alcatel-Slot-Port]

Type=STRING
Profile=OUT

[Alcatel-Time-of-Day]

Type=STRING
Profile=OUT

[Alcatel-Client-IP-Addr]

Type=IPADDR
Profile=OUT

[Alcatel-Group-Desc]

Type=STRING
Profile=OUT

[Alcatel-Port-Desc]

Type=STRING
Profile=OUT

[Alcatel-Auth-Group-Protocol]

Type=STRING
Profile=OUT

[Alcatel-Asa-Access]

Type=STRING
Profile=OUT

[Alcatel-End-User-Profile]

Type=STRING
Profile=OUT

[Alcatel-Acce-Priv-F-R1]

Type=INTEGER
Profile=OUT

[Alcatel-Acce-Priv-F-R2]

Type=INTEGER
Profile=OUT

[Alcatel-Acce-Priv-F-W1]

Type=INTEGER
Profile=OUT

[Alcatel-Acce-Priv-F-W2]

Type=INTEGER
Profile=OUT

[silvio]

Hi TYT,
I haven't use with cisco ACS - only with MS IAS and NPS.
If you have access gardian (port-security) correct activated for the port, than it should work with Auth-group (=vlan id). I prefer the universal "filter-id" (without need of vendor id). With UNP in switch you can map the filter-id to a vlan.
For troubleshooting use wireshark and the logs in your ACS. Be aware that non-supplicant use a insecure protokoll (PAP or CHAP). At MS NPS is per default this not allowed. Don't know for ACS....
hope this is helpfull
regards
silvio

[TYT]

Thx Silvio..

Just a quick check, when we perform dynamic vlan on a non 802.1x devices such as printers, I noticed after 10mins, the vlan mobility goes off because the mac entry is gone.

Example switchport 1/1 default vlan 1 mobile vlan 2. After 10mins when mac entry aged out, only vlan 1 remains. Printer cannot be ping.

ANyone has any suggestions? Thx

[silvio]

Hi
please try to enable reauthentication at the port (per default disabled).

UserGuide:
An automatic reauthentication process can be enabled or disabled on any 802.1X port. The re-authentication
is used to maintain the 802.1X connection (not to re-authenticate the user). The process is transparent
to the 802.1X supplicant. By default, re-authentication is not enabled on the port.

Regards
Silvio

[Whipster]

Good Afternoon All,

I am trying to implement 802.1X MAC address authentication using OS6850E switches, and Microsoft NPS. The problem is that our domain password policy does not allow the username and password to be identical. Is there a way around this, or will I have to create a new OU and block that password policy so that I can implement this solution?

Thanks for any help you can give me.

Rich