802.1x and port-security sticky mac

Started by config t, July 25, 2019, 11:48:31 AM

Previous topic - Next topic

config t

I want to preface this by saying I think it's a stupid idea to run both dot1x and sticky mac on the same port.. but..

Some of my customers may be doing it.

My question is thus:

If an interface is configured for both dot1x and sticky mac and the connected host fails authentication, is the port still hot on the configured VLAN? (eg; switchport access vlan XXX)?

I found some documentation stating for dynamic port security entries the host table is cleared upon reaching an unauthenticated state however I could find nothing specifically addressing sticky mac.

Cheers
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

If you fail dot1x on wired, that port goes to err-disabled. You can fix it so the voice VLAN is still available, but that data VLAN is going to be out until the device disconnects.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

config t

Quote from: deanwebb on July 25, 2019, 03:52:32 PM
If you fail dot1x on wired, that port goes to err-disabled. You can fix it so the voice VLAN is still available, but that data VLAN is going to be out until the device disconnects.

+1 :D

Excellent. We don't want them on the network if they fail dot1x.

So, dot1x takes precedence. That was the major question keeping folks awake.
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Of course, if you have a device get on through the dot1x MAB, then it will have to match the sticky MAC address on the port to get access after being waved through by dot1x.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

The way I understand it is port-security is "first". Your client will trip port security if the MAC address source in the EAPOL traffic isn't listed as an authorized MAC. If the MAC is authorized then you can pretend port-security doesn't exist, and the port can be treated as if it just has 802.1x.

I don't remember having any issues when we rolled out 802.1x. We left port-security on till we got 802.1x working everywhere the way we wanted. Then removed the port-security commands and only do 802.1x.

-Otanx



config t

Quote from: Otanx on July 26, 2019, 11:55:56 AM
The way I understand it is port-security is "first". Your client will trip port security if the MAC address source in the EAPOL traffic isn't listed as an authorized MAC. If the MAC is authorized then you can pretend port-security doesn't exist, and the port can be treated as if it just has 802.1x.

I don't remember having any issues when we rolled out 802.1x. We left port-security on till we got 802.1x working everywhere the way we wanted. Then removed the port-security commands and only do 802.1x.

-Otanx

Although it is no longer important to my current customer, I think it's worth saying I randomly stumbled across verbiage in a 3850 configuration guide a few weeks ago stating that port-security does indeed happen "first".
:matrix:

Please don't mistake my experience for intelligence.