Sorry, this should have gone with the email.
Sadiq
On Mon, Nov 1, 2010 at 7:13 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> For the most part, true, all.
>
> You see, technically, MAB failures are just absence of the MAC address in
> the ACS DB (or any other LDAP store, if configured on ACS). So the fact that
> a RADIUS Reject comes back from the RADIUS server just means that MAC
> address is unknown, hence a Guest VLAN. This applies to data or voice
> devices that do not have supplicants on them.
>
> In the case of a dot1x enabled device and invalid credentials (with
> supplicants, and hence dot1x case), a RADIUS Reject directly translates into
> an AuthFail VLAN.
>
> Mark you though, today on Cisco switches, there is no support for Guest
> VLAN on IP phones. The Guest and AuthFail VLANS all apply only to Data
> devices and not IP phones. For example, when you have an IP phone and a PC
> (plugged in behind the IP phone) both connected to the switch. The client
> has a supplicant and the IP phone is doing MAB (which is my understanding of
> your use case), then we have these possibilities:
>
> 1. IP phone passes and gets on the Voice VLAN (or domain). Client passes
> and on the Data VLAN (or domain).
>
> 2. IP phone passes and client fails. IP phone gets treated like in #1 and
> client gets placed into the AuthFail VLAN, if configured (similarly the
> Guest VLAN for a MAB device). Otherwise re-attempt to authenticate the
> client after 60 seconds by default - although we can tune a few things to
> change behaviour here though.
>
> 3. IP phone and client behind it are connected together, the client passes
> and IP phone fails. It gets abit nasty here you see. There is a race
> condition because the client will make it to the network before the IP phone
> (Cisco IP phone anyway, because of CDP and power uo delays, etc). The client
> passes and gets placed into the data VLAN. When IP phone fails (MAB in this
> case), it would be seeking to be placed into the Guest VLAN. This then means
> you will have the Voice VLAN, the data VLAN (where the dot1x client is
> already authorized) and the Guest VLAN all potentially needing to forward
> traffic from the same physical port. Now, we cant do more than 2 VLANs on a
> regular access ports today on Cisco switches, which is the issue.
>
> Hence there is no support for the Guest and AuthFail VLANs for IP phones
> today. Hope that helps abit and not confuse you more. Let us know if you
> need more info.
>
> Sadiq
>
>
> On Mon, Nov 1, 2010 at 2:38 PM, Brian Landers <brian_at_bluecoat93.org>wrote:
>
>> On Mon, Nov 1, 2010 at 10:22 AM, GAURAV MADAN <gauravmadan1177_at_gmail.com
>> >wrote:
>>
>> >
>> > If my clients are non dot1x capable .. ( say VOIP ph etc ) . Hence I
>> > intend to use MAB as authentication method ..
>> >
>> > What will be used ? Auth-fail vlan ?
>> >
>> >
>> If you have MAB configured on an interface and the authentication fails,
>> the
>> port will be placed into the guest VLAN if it is configured. If no guest
>> VLAN is configured, the port will be shutdown.
>>
>> The restricted/auth-fail VLAN is only used for clients that support 802.1x
>> and fail an EAPoL login attempt.
>>
>>
>> --
>> Brian C Landers
>> http://www.packetslave.com/
>> CCIE #23115 (R&S + Security)
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Mon Nov 01 2010 - 19:21:46 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART