For the most part, true, all.
You see, technically, MAB failures are just absence of the MAC address in
the ACS DB (or any other LDAP store, if configured on ACS). So the fact that
a RADIUS Reject comes back from the RADIUS server just means that MAC
address is unknown, hence a Guest VLAN. This applies to data or voice
devices that do not have supplicants on them.
In the case of a dot1x enabled device and invalid credentials (with
supplicants, and hence dot1x case), a RADIUS Reject directly translates into
an AuthFail VLAN.
Mark you though, today on Cisco switches, there is no support for Guest VLAN
on IP phones. The Guest and AuthFail VLANS all apply only to Data devices
and not IP phones. For example, when you have an IP phone and a PC (plugged
in behind the IP phone) both connected to the switch. The client has a
supplicant and the IP phone is doing MAB (which is my understanding of your
use case), then we have these possibilities:
1. IP phone passes and gets on the Voice VLAN (or domain). Client passes and
on the Data VLAN (or domain).
2. IP phone passes and client fails. IP phone gets treated like in #1 and
client gets placed into the AuthFail VLAN, if configured (similarly the
Guest VLAN for a MAB device). Otherwise re-attempt to authenticate the
client after 60 seconds by default - although we can tune a few things to
change behaviour here though.
3. IP phone and client behind it are connected together, the client passes
and IP phone fails. It gets abit nasty here you see. There is a race
condition because the client will make it to the network before the IP phone
(Cisco IP phone anyway, because of CDP and power uo delays, etc). The client
passes and gets placed into the data VLAN. When IP phone fails (MAB in this
case), it would be seeking to be placed into the Guest VLAN. This then means
you will have the Voice VLAN, the data VLAN (where the dot1x client is
already authorized) and the Guest VLAN all potentially needing to forward
traffic from the same physical port. Now, we cant do more than 2 VLANs on a
regular access ports today on Cisco switches, which is the issue.
Hence there is no support for the Guest and AuthFail VLANs for IP phones
today. Hope that helps abit and not confuse you more. Let us know if you
need more info.
Sadiq
On Mon, Nov 1, 2010 at 2:38 PM, Brian Landers <brian_at_bluecoat93.org> wrote:
> On Mon, Nov 1, 2010 at 10:22 AM, GAURAV MADAN <gauravmadan1177_at_gmail.com
> >wrote:
>
> >
> > If my clients are non dot1x capable .. ( say VOIP ph etc ) . Hence I
> > intend to use MAB as authentication method ..
> >
> > What will be used ? Auth-fail vlan ?
> >
> >
> If you have MAB configured on an interface and the authentication fails,
> the
> port will be placed into the guest VLAN if it is configured. If no guest
> VLAN is configured, the port will be shutdown.
>
> The restricted/auth-fail VLAN is only used for clients that support 802.1x
> and fail an EAPoL login attempt.
>
>
> --
> Brian C Landers
> http://www.packetslave.com/
> CCIE #23115 (R&S + Security)
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Mon Nov 01 2010 - 19:13:18 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART