Alcatel Unleashed

[bibou]

If a PC is connected to an Alcatel IP Touch 4028 and is authenticated with EAP-MD5, a EAP-logoff (see note below ALCATEL) is sent to the switch when the PC is disconnected from the phone, however if MAB authentication is used, the switch does not receive anything for the information when the PC is disconnected from the phone, the session remains open and a PC can connect to the network without being authenticated!

OmniPCX Enterprise R9.0 – Release description : EAP-Logoff: without this enhancement, if a PC behind the IP Touch was authenticated, it was
possible to unplug it and connect another device to the network without re-authenticatione!
If the PC behind the IP Touch is unplugged, the IP Touch sends an EAP-LOGOFF message on
behalf of the PC to the switch. The switch sets the specified MAC address to an unauthenticated
state. When the PC is plugged in again, it will need to be re-authenticated.


ANY IDEAS for a solution when using Mac @ Authentication beetween IPTOUCH 40x8 connected on CISCO Switch with a Microsoft 2003 Radius Server ?


examples of authentication messages :

May 16 09:38:10.914: %AUTHMGR-5-START: Starting 'mab' for client (0022.680d.a095) on Interface Gi1/0/2 AuditSessionID 0A8564BE000000420A9D6128
May 16 09:38:11.045: %MAB-5-SUCCESS: Authentication successful for client (0022.680d.a095) on Interface Gi1/0/2 AuditSessionID 0A8564BE000000420A9D6128
May 16 09:38:11.045: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0022.680d.a095) on Interface Gi1/0/2 AuditSessionID 0A8564BE000000420A9D6128
May 16 09:38:11.045: %AUTHMGR-5-VLANASSIGN: VLAN 264 assigned to Interface Gi1/0/2 AuditSessionID 0A8564BE000000420A9D6128
May 16 09:38:11.418: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.680d.a095) on Interface Gi1/0/2 AuditSessionID 0A8564BE000000420A9D6128

[bibou]

Port configuration on Cisco Switch where the IPTOUCH phone is connected

interface GigabitEthernet1/0/2
switchport access vlan 2000
switchport mode access
network-policy 1
authentication host-mode multi-auth
authentication port-control auto
mab
mls qos trust dscp
spanning-tree portfast
end

[bibou]

ALCATEL RESPONSE :

When the PC runs a 802.1x supplicant, the phone can listen to EAP messages going out/coming into the PC and save 802.1x authenticated MAC addresses. When the PC port of the iptouch is unplugged, the phone is then able to forge EAP logoff packets using the previously saved mac addresses which makes the switch close the port for these devices.

As far as I understand, in MAB authentication, there is no EAP dialogue between the device (PC, printer, fax...) and the switch. The switch is simply waiting for eap authentication timout (if 802.1x is enabled on this port) and then for traffic coming out the non-802.1x device. Then, it sends the MAB request to the radius server and if the mac address is allowed, will open its port for this mac.
There is no way for the iptouch to tell the switch that the PC session must be closed, contrary to dot1x where a logoff message can be sent.

Of course, we advise you to use 802.x as much as possible, mac authentication being used as a fallback when the devices are not 802.1x capable.

[bibou]

SOLUTION : Inactivity Timer
If your switch or phone does not support CDP Enhancement for Second Port Disconnect, the
inactivity timer can provide a partial solution for disconnected data devices. When the inactivity
timer is enabled, the switch monitors the activity from authenticated endpoints. When a device
disconnects, the inactivity timer will countdown. When the timer expires, the switch removes the
authenticated session. The inactivity timer applies to IEEE 802.1X and MAB sessions.