|
2/21/2009 10:35:39 PM
|
IT Sec tech
Posts 7
|
Does anyone here have any recommendations for how to configure MAB on Cisco 3750s? I'm setting it up 802.1X (and eventually NAC) with Juniper's UAC and I'm curious to know if there are any caveats or things to be aware of.
Thanks!
|
|
2/25/2009 7:04:06 PM
|
jgorsky
Posts 5
|
The following is a very basic port config for a 3750 (that already has 802.1X enabled at switch-level) for MAC-auth-bypass. Note that there are multiple timers and other parameters of this config that need to be tuned for desired operation of MAB. If you have specific questions, I will try to answer but this is a pretty big topic.
interface GigabitEthernet1/0/19
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 10
dot1x timeout reauth-period 60
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x reauthentication
dot1x auth-fail max-attempts 1
spanning-tree portfast
!
|
|
11/12/2009 11:15:41 PM
|
nixonc
Posts 2
|
Are these values for the interface settings best practices for switch ports? We have a problem where a port occasionally will not authenticate when a person comes in at the beginning of the day. If they unplug their cable, wait a few seconds, and then plug back in the port comes back up.
|
|
1/4/2010 2:27:22 PM
|
abeats
Posts 5
|
Chuck, the values listed may be considered best practice based on our experience with a wide range of customers over the past few years. The timers are balanced in such a way that the 1X auth will fail relatively quickly, thus allowing the MAC auth to occur within a reasonable amount of time (potentially reducing connectivity issues associated with extended authentication timers). That being said, are you guys using the Microsoft supplicant? If so, what is the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" value set to? We've found that tweaking this variable, along with a couple of other registry settings, can bring stability and consistency to the login process (assuming you're using the Microsoft 1X supplicant and you're in an Active Directory environment).
|
|
pages:
1 |
|---|