False authentication sessions problem

kluczak16 — Mon, 11 Mar 2019 03:31:45 GMT

Hello,

I observe undesirable behavior of my Cisco 3560 switches, which keep authentication sessions for devices that are currently not connected to the network.

To be precise, I mean the sessions relating to the devices that haven't been successfully authenticated and as the result the switch is trying to re-authenticate it. The problem shows up when the device is no longer connected to the network, but switch is still keeping that authentication session (ineffectively trying to authenticate the device that is no longer connected).

For example - int fa0/37 - on that interface is connected 6 devices, while current authentication sessions are 36:

SW1#sh clock
16:54:10.793 CEST Fri Jun 7 2013
SW1#sh mac add int Fa0/37

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

82 0012.3fb9.5b3f STATIC Fa0/37

82 28d2.4408.0f31 DYNAMIC Fa0/37

82 28d2.4408.10d9 DYNAMIC Fa0/37

82 28d2.4408.1440 DYNAMIC Fa0/37

82 28d2.4408.39dc DYNAMIC Fa0/37

82 6cf0.4929.4aa8 DYNAMIC Fa0/37
Total Mac Addresses for this criterion: 6

SW1#sh auth sess | i 0/37
Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612
Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B
Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D
Fa0/37 0024.1d0b.bd9d dot1x DATA Running 0ACA022A000005867DC8BA06
Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728
Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254
Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD
Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9
Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3
Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560
Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95
Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007
Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B
Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2
Fa0/37 0021.ccd0.1487 N/A DATA Authz Failed 0ACA022A00000479175405FF
Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3
Fa0/37 28d2.4407.209d N/A DATA Authz Failed 0ACA022A0000045012089F38
Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771
Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D
Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84
Fa0/37 28d2.4406.28e2 N/A DATA Authz Failed 0ACA022A00000376D9E4E000
Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7
Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0
Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6
Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445
Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567
Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F
Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC
Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2
Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D
Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4
Fa0/37 000f.1fe4.6f9f N/A DATA Authz Failed 0ACA022A000000E39161ABC9
Fa0/37 001e.3736.9a6a N/A DATA Authz Failed 0ACA022A000004831C16033E
Fa0/37 0024.7eda.ab58 N/A DATA Authz Failed 0ACA022A0000030ED4955421
Fa0/37 28d2.4402.4bbf N/A DATA Authz Failed 0ACA022A0000005139D52E1E
Fa0/37 0018.8b0c.7882 N/A DATA Authz Failed 0ACA022A000004CC30DD0119

SW1#sh clock
16:54:21.891 CEST Fri Jun 7 2013
SW1#

Only the "clear authentication sess session-id …" executed for that "hanging" session causes its removal:

SW1#clear auth sess sess 0ACA022A000004CC30DD0119

SW1#clear auth sess sess 0ACA022A0000005139D52E1E

SW1#clear auth sess sess 0ACA022A0000030ED4955421

SW1#clear auth sess sess 0ACA022A000004831C16033E

SW1#clear auth sess sess 0ACA022A000000E39161ABC9

SW1#sh auth sess | i 0/37

Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612

Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B

Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D

Fa0/37 0024.1d0b.bd9d N/A DATA Authz Failed 0ACA022A000005867DC8BA06

Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728

Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254

Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD

Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9

Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3

Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560

Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95

Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007

Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B

Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2

Fa0/37 0021.ccd0.1487 dot1x DATA Running 0ACA022A00000479175405FF

Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3

Fa0/37 28d2.4407.209d dot1x DATA Running 0ACA022A0000045012089F38

Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771

Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D

Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84

Fa0/37 28d2.4406.28e2 dot1x DATA Running 0ACA022A00000376D9E4E000

Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7

Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0

Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6

Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445

Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567

Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F

Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC

Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2

Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D

Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4

SW1#sh clock

17:08:54.372 CEST Fri Jun 7 2013

SW1#

SW1#sh ver

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 28-Jan-13 10:10 by prod_rel_team

Image text-base: 0x01000000, data-base: 0x02D00000

Could anyone tell me what is the reason of that switch behavior and what needs to be done to prevent that kind of situation?

I also use Identity Service Engine 1.1.1 and 802.1x authentication. "sh dot1x interface fa0/37 details" in attachment.

If you need anything, don’t hesitate to ask me, please.

I would sincerely appreciate your consideration of this matter.

Best regards!

False authentication sessions problem

Richard Atkin — Sat, 15 Jun 2013 14:33:59 GMT

The switch doesn't know to flush the session after the Client goes because the other switch you're plugging everything in to keeps the interface up... The switch never actually knows the Client has gone, just that it's not communicating any more.

There will be ("should be"!) an automated timer somewhere that flushes these idle sessions. I expect there'll be a specific bit of Dot1x config for this (the re-auth timer, perhaps?), but it could be as simple as the MAC Address-Table Aging-Time?

False authentication sessions problem

kluczak16 — Mon, 17 Jun 2013 10:30:34 GMT

Hello Richard,

thank you so much for replying.

Actually all the switches are configured as following:

interface FastEthernet0/37

switchport access vlan 18

switchport mode access

switchport nonegotiate

switchport voice vlan 24

qos trust dscp

authentication event fail action next-method

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

auto qos voip trust

dot1x pae authenticator

tx-queue 3

priority high

shape percent 33

spanning-tree portfast

service-policy output autoqos-voip-policy

Is there something wrong with the port config?

Looking forward to hearing from you.

Regards!

Re: False authentication sessions problem

Octavian Szolga — Sat, 22 Jun 2013 20:49:40 GMT

I've said it before, and I'll say it again

In an actual deployment, the last/default authorization rule should permit to do CWA or/and profiling, so that any unauthenticated MAB user should get a match on this rule, thus not restarting auth process.

Regarding the idle sessions, you cand use authetication timer inactivity comand.

Check http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a3.html#wp1060094

topic False authentication sessions problem in Network Access Control

False authentication sessions problem

False authentication sessions problem

False authentication sessions problem

Re: False authentication sessions problem