Flexible Authentication in Cisco SD-Access

 Flexible Authentication in Cisco SD-Access

With Flex Authentication enabled, 802.1X can first be attempted based on configuration. If the endpoint does not support 802.1X or fails 802.1X authentication, MAB may be attempted. 

The 802.1X timeout value will be altered from the default of 30 seconds to 10 seconds. This means that after 30 seconds or three timeouts of 802.1X, the switch will failover to MAB, and devices using MAB authentication must wait 30 seconds before they can be authenticated. 

To perform MAB authentication, the switch will send a RADIUS request to the ISE PSN to perform a lookup in its endpoint database of allowed MAC addresses. 

Fig 1,1- Flexible Authentication in Cisco SD-Access

If the device exists in the endpoint database, the authorization succeeds, and the switch grants the endpoint access to the network based on matching authorization policy. If authentication or authorization fails, the endpoint is denied network access.  

If an EAPOL packet is detected from an endpoint that was authenticated with MAB, the switch determines that the device is now 802.1X capable and attempts to perform a full 802.1X authentication. 

Additionally, the authentication session is cleared if the interface link status experiences a change such as a shutdown.

Authentication Host Modes 
Multi-Auth and Multi-Domain are the two recommended host modes. As the best practice is to use Multi-Auth host mode, as it offers a balance of security and flexibility during the beginning stages of an 802.1X deployment. The behaviour of Multi-Auth and Multi-Domain are described below

  • Multi-Auth allows for one voice device per port and virtually unlimited data devices. Each data device and the phone must authenticate individually. This mode allows for a phone with multiple physical or virtual machines behind it. 
  • Multi-Domain allows for one voice and one data device per port, which allows for a phone with only one data device attached. This mode denies the use of NIC bridging or the use of a hub behind the phone.

The host mode is configured on a port by port basis using the command “authentication host-mode (multi-auth | multi-domain).”  As per the recommends Multi-Auth over Multi-Domain for environment where VMware bridging and hubs support are often in use. While Multi-Domain provides more restrictions, it often is too strict in these environments. 

Fig 1.2- IP Telephony and 802.1x

When Multi-Auth or Multi-Domain is enabled, the switch divides the switchport into two virtual "domains" (a domain is equivalent to a VLAN on a wired network). One domain will be created for voice, and a second domain will be created for data. 

The switch independently and asynchronously authenticates the phone and the device(s) behind the phone. When the phone authenticates successfully, it is given access to the voice domain. When the device behind the phone is authorized, it is given access to the data domain.

No comments