topic Re: Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL) in Network Access Control

Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

dal — Wed, 22 Jan 2020 14:43:49 GMT

Hi.

As the title say, I have enabled 802.1x (and MAB) via 3CPL and policies on a switchport, and it works fine.

Until the computer falls asleep.

Then the switchport starts to generate error logs like this:

Jan 22 14:16:34.492: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (13e2.1e14.a20a) on Interface GigabitEthernet1/0/13 AuditSessionID FA64320A00015AFCCD99EA23. Failure reason: Authc fail. Authc failure reason: Cred Fail.

every 60 seconds.

I have found that this happens when the NIC on the computer has enabled the "Allow the computer to turn off this device to save power" option... which is enable by default on all Windows computers.

And it needs to stay that way to enable WoL.

So how can I get rid of the error messages in the switch?

Thanks.

Re: Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

Damien Miller — Wed, 22 Jan 2020 18:01:18 GMT

A logging discriminator would be what I suggest. In my opinion these logs don't provide any value on the switch. When we troubleshoot we look at ISE, or "show auth sessions" to gather the information anyways.

You can do something such as this to stop logging it to the buffer.

logging discriminator AUTHFILT facility drops DOT1X
logging discriminator AUTHFILT facility drops SESSION_MGR
logging buffered discriminator AUTHFILT

Re: Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

andrewswanson — Fri, 24 Jan 2020 13:40:44 GMT

Yes, I see the same problem with WoL enabled devices. I increased the authentication restart for 802.1x fail/no response to 65535 seconds to decrease the amount of messages - see below.

event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 3 retry-time 30 priority 10
..
event authentication-failure match-first
..
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
..
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 3 retry-time 30 priority 10

when I was looking at a powershell script to whitelist pxe imaging clients (through the ISE API) I considered using the same script to whitelist WoL PC's (i.e run the script on pc shutdown to whitelist the PC mac and run the script again on pc boot to remove the PC from the whitelist). Seemed way too complicated so I dropped that idea. Script used for whitelisting is available here:

https://github.com/AdamGrossTX/PowershellScripts/tree/master/CiscoISE/External%20RESTful%20Service%20(ERS)%20API

hth
Andy