How are you dealing with the 802.1x changes in 10.x?

SOLVED
bigben386
Getting noticed

How are you dealing with the 802.1x changes in 10.x?

Just curious if anyone else has run into troubles with the 802.1x changes in 10.x and if so,how you have dealt with it. In 9.x and prior, we could change devices connected behind IP phones at will and the new device would authenticate to the switch and be allowed access. Now with 10.x, only the first device is allowed to authenticate. The switch ignores eap starts from any further clients until we cycle the port. It makes no difference if single host or multi domain is used. We have tried setting a radius timeout but the switch doesn't seem to acknowledge that. Multi host is not an option as it does not support guest vlan. It is frustrating because we have had no issues with 802.1x for 6+ years on our previous procurve switches and for 2+ years on our Meraki switches but now this new firmware is causing a lot of issues for us.

1 ACCEPTED SOLUTION

I ended upgrading all my sites to 11.1 and have had no 802.1x issues since. I haven't found any major issues with the beta yet so the reward has been well worth the risk so far.

View solution in original post

10 REPLIES 10
jcottage
Here to help

Hey bigben386,

 

What radius server are you using?

 

I have seen similar behavior in traditional Cisco(Catalyst) with IP phones. The IP Phone keeps the session active even if the device is disconnected from the phone. We added an idle timeout to the session on the radius server. I'm not sure if the MS devices support that setting. 

We use NPS. I have the radius session timeout set for the policy. I have left the device disconnected from the phone for hours more than the timeout but when I connect a different PC, the switch ignores the request. This is the timeout I have used in the past to force periodic reauth. I have found a setting on the polycom phones that seems to resolve the issue but we use a UCaaS service and I cannot modify anything on their provisioning servers so I have no way to set it globally. I was hoping there is some other alternative. Cisco/Meraki's 802.1x options are a lot more limiting than with our old procurves. On them, we could have multiple authenticated clients per port and still support a guest vlan.

Session time out and idle time out are 2 different timers. I found a good description of the timers on this MR KB. Are you doing MAB auth or 802.1x for the devices down stream of the phones, because when the re-auth timer hits 802.1x auth should fail but MAB may still stick.

 

https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Spl...

 

I haven't been able to find a KB that lists supportes radius vars for the MS side. 

Hmm. The cisco page has a bit more info https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telepho...

 

They indicate that I need to use the idle timeout and not the session timeout but the Meraki page says idle timeout only works if radius accounting is used but we don't currently use accounting. I will try to mess with setting up radius accounting while I wait to see if our provider can update their polycom provisioning server.

 

Thanks

Seems it doesn't work. I set the NPS policy to have a 5 minute idle timeout. The client is authenticating to the policy and wireshark confirms that the timeout is specified in attribute 28. Well after 5 minutes of disconnecting the device from the phone, there is no deauth event in the meraki logs and I am not able to change devices.

At this point I would reach out to support. This is defiantly not working as intended.

Yeah already have one open. Was just hoping someone had already resolved these issues.

Just a FYI. I got a response from support saying that the MS switches do not support any radius timeouts.

I ended up getting our UCaaS provider to enable second port status reporting on the polycom phones but that exposed an even worse 802.1x bug in the 10.x firmware. Now we have a problem with windows PCs that either slow boot or come out of hibernate. Windows 10 and 7 both send icmpv6 router solicitation packets very early in the boot before 802.1x comes up. This causes the switch to send an eap challenge that fails since the supplicant has not yet started on windows. This causes the PC to be put on the guest vlan. Once the supplicant starts and sends eap starts, the switch is erroneously ignoring them thus my clients are getting stuck on the guest vlan. The only access policy method that works is multi-auth but that does not support guest and I have a requirement for guest vlan. There seems to be no programmatic way to disable ipv6 on the LAN adapter and MS does not recommend disabling it system wide. I tried firewalling some of the icmpv6 traffic with windows firewall but that didn't seem to work either. I have a scheduled task that cycles the LAN port from windows after a power event but it is not 100% reliable. I just had support roll back half my networks to 9.37 to see if that will restore my sanity. Not sure how 802.1x worked "decent" for several years but has gone so sideways in 10.x.

I ended upgrading all my sites to 11.1 and have had no 802.1x issues since. I haven't found any major issues with the beta yet so the reward has been well worth the risk so far.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels