topic Re: Dot1X stuck in running state in Network Access Control

Dot1X stuck in running state

bern81 — Mon, 25 Mar 2019 14:39:24 GMT

Hi all,

I have configured dot1x on some switches and endpoint is windows native supplicant configured for EAP-TLS.

I noticed that some times the port is stuck in dot1x running state for about 45 sec when i perform : sh authen session int g0/8

knowing that during this state i am able to ping normally the endpoint.

After that i see some kind of re-authentication in the radius debug logs and the port is in authc success state.

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 2880

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 send nas-port-detail mac-only
radius-server vsa send authentication
radius-server vsa send accounting

radius-server dead-criteria time 5 tries 3
radius-server deadtime 3

ip device tracking probe interval 30
ip device tracking probe delay 10
authentication mac-move permit
dot1x system-auth-control
dot1x critical eapol
access-session acl default passthrough
epm logging

#sh system mtu

System MTU size is 1500 bytes

port config:

int g0/8

interface GigabitEthernet0/8
description Bay13_MAB_8021x
switchport access vlan 482
switchport mode access
switchport nonegotiate
load-interval 30
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 75
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 3
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast edge
spanning-tree bpduguard enable
end

I am honestly suspecting something related to EAP-fragments.

because in the first authentication attempt i see the following message:

RADIUS(00000000): Received from id 1645/49
RADIUS/DECODE: EAP-Message fragments, 253+253+253+148, total 907 bytes

sh authentication sessions int g0/8 de (during the running state)
Interface: GigabitEthernet0/8
MAC Address: 4c52.620c.3a37
IPv6 Address: Unknown
IPv4 Address: 10.77.39.181
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Session Uptime: 23s
Common Session ID: 0A000C89000000661F29EFA5
Acct Session ID: Unknown
Handle: 0xC6000004
Current Policy: POLICY_Gi0/8

Method status list:
Method State

dot1x Running

After around 45 sec i see the following message along with the endpoint certificate:

RADIUS/ENCODE: EAP-Message fragment 1492 into 253+253+253+253+253+227, total 1492 bytes

#sh authentication sessions int g0/8 de
Interface: GigabitEthernet0/8
MAC Address: 4c52.620c.3a37
IPv6 Address: Unknown
IPv4 Address: 10.77.39.181
User-Name: U600BC0A.company.biz
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: 43200s (server), Remaining: 43194s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172794s
Session Uptime: 8s
Common Session ID: 0A000C890000006F1F5B500E
Acct Session ID: 0x00000132
Handle: 0x0F00000A
Current Policy: POLICY_Gi0/8

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Idle timeout: 300 sec

Method status list:
Method State

dot1x Authc Success

sh version:

C2960L Software (C2960L-UNIVERSALK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4) running LAN-Lite license.

Did anyone faced this behavior

Please advise

Re: Dot1X stuck in running state

Arne Bier — Mon, 25 Mar 2019 21:31:51 GMT

tricky one. A few years back I had a customer who had enabled jumbo frames everywhere and ISE couldn't handle it when a large cert chain was exchanged during TLS negotiation. Everything else was working fine though. We eventually had to set the MTU on the switch to something less than 1450 or roundabout. I think I sort of understand MTU but there are always some subtleties.

Re: Dot1X stuck in running state

bern81 — Tue, 26 Mar 2019 08:12:53 GMT

Hi Arne,

The MTU is the default 1500 all the way to the ISE (At least i think that, i have to check the complete path since the ISEs reside in the Data center and reachable via VPLS lines)

I hope this will not create issues in production, because the weird thing is that the endpoint is reachable during the Running State even though the "sh authen session int g0/8 de" shows that the port is unauthorized!

If someone else is facing similar issue please advise if there is a workaround.

Re: Dot1X stuck in running state

Mike.Cifelli — Fri, 29 Mar 2019 19:28:10 GMT

Are you attempting any type of CoA? I am wondering if you would have the same issue if you were running a LAN Base License. LAN Lite supports dot1x, but pretty sure LAN Base provides advanced dot1x features. Not sure if this is the fix, but may be something you want to check here just to check another troubleshooting box.

Re: Dot1X stuck in running state

hslai — Sat, 30 Mar 2019 21:44:09 GMT

ISE 2.4 Patch 2 addressed CSCvf52213, which adds CLI option for MTU -- ip mtu

Re: Dot1X stuck in running state

bern81 — Tue, 02 Apr 2019 07:45:07 GMT

Hi Mike,
I will test on a LAN base box to see if behavior is the same
The issue is that we have more than 2k switches that has to run on LAN-Lite for financial reason (so unfortunately i am stuck with this).

Re: Dot1X stuck in running state

bern81 — Tue, 02 Apr 2019 07:49:42 GMT

Hi Hslai,
We are running ise2.4 patch 6.
I checked the interface it has already an MTU of 1500:

GigabitEthernet 1
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2a3:8eff:fe39:c59 prefixlen 64 scopeid 0x20<link>
ether 00:a3:8e:39:0c:59 txqueuelen 1000 (Ethernet)
RX packets 1006235 bytes 60374712 (57.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23 bytes 2106 (2.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfb000000-fb0fffff