topic You are absolutely correct. in Network Access Control

wired 802.1x fails after switch reload

andrewswanson — Mon, 11 Mar 2019 07:22:25 GMT

Hello

I'm testing wired 802.1x with a WS-C3650-48PD 03.06.05E and ISE 2.1. Switch config uses "new" ibns 2.0. 802.1x is working fine and I'm testing it under different scenarios.

The scenario where I am having an issue is when

Windows 7 PC is authenticated successfully - appears under Show access-session
switch is reloaded
After switch reloads, MAB devices are successfully authenticated against ISE
802.1x devices are not authenticated:

%DOT1X-5-FAIL messages apeear on console
packet capture for pc interface shows no eap packets
nothing for 802.1x authnetications appears in ISE logs

The only way to get 802.1x working after the reload is to bounce the port.

Port dotx info is:

PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Has anyone come across this issue?

Thanks
Andy

I think I may have resolved

andrewswanson — Wed, 18 Jan 2017 16:10:08 GMT

I think I may have resolved this. I was missing the following aaa command from the switch configuration:

aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>

From cisco documentation, this command generates a logoff for 802.1x authenticated clients when a switch reloads.

With this command in place

the windows 7 pc is 802.1x authenticated successfully
switch reloads
when switch boots up, the windows 7 pc authenticates successfully

Cheers
Andy

You are absolutely correct.

nspasov — Wed, 18 Jan 2017 19:05:04 GMT

You are absolutely correct. The "accounting" commands are a must when deploying dot1x:

802.1x Accounting

The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports:
* User successfully authenticates.
* User logs off.
* Link-down occurs.
* Re-authentication successfully occurs.
* Re-authentication fails.

Good job on solving your own issue! Also, thank you for taking the time to come back and update the thread with a solution!

Now if your issue is resolved, you should mark the thread as "answered" 🙂

Thanks Neno

andrewswanson — Wed, 18 Jan 2017 19:30:43 GMT

Thanks Neno

prior to enabling the command:

aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>

I already had the following aaa accounting commands:

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group <ISE-RADIUS-GROUP-NAME>

These worked fine for client accounting but I ran into the issue in the original post when the switch reloaded. Thanks for the reply - I'll mark thread as resolved.

Cheers
Andy

Good deal! I am guessing you

nspasov — Wed, 18 Jan 2017 23:15:30 GMT

Good deal! I am guessing you also have "aaa accounting dot1x...." ?

Yes I did have "aaa

andrewswanson — Thu, 19 Jan 2017 14:19:49 GMT

Yes I did have "aaa accounting dot1x.." but it got converted to "aaa accounting identity.." when I moved to the ibns 2.0 "new style"

Cheers

Andy