https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3814737#M484544 <P>Hi,</P> <P>&nbsp;</P> <P>I run into the same nightmare with order mab dot1x&nbsp;&nbsp; and priority dot1x mab by facing intermittent loops especially if you get authenticated with mab, then after few minutes the endpoint sends eapol start packet.</P> <P>&nbsp;</P> <P>As an advice use order dot1x mab.&nbsp; if you are afraid of DHCP timeout, you can reduce the dot1x tx timeout period to lets say 4 sec , like this after maximum 12 sec if shifts to the next method if the first fails.</P> <P>&nbsp;</P> <P>Also put the reauthenticate timer to higher value than 60 min.</P> <P>&nbsp;</P> <P>I hope this helped, knowing that this is not exactly your question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Wed, 06 Mar 2019 07:57:59 GMT bern81 2019-03-06T07:57:59Z https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3814610#M484542 <P>Hi Team,</P> <P>&nbsp;</P> <P>Currently I am working with the customer who had deployed wired dot1x in their environment, As they have some of the switches which does not support IBNS 2.0 they are currently going ahead with IBNS 1.0 implementation at this point.</P> <P>&nbsp;</P> <P>We have FlexAuth implemented for the customer with re-authentication enabled. Here is the interface configuration snip from the switch.</P> <P>&nbsp;</P> <P>switch(config-if)# switchport access vlan <STRONG>&lt;X&gt;</STRONG></P> <P>switch(config-if)# switch access voice <STRONG>&lt;X&gt;</STRONG></P> <P>switch(config-if)# switchport mode access</P> <P>switch(config-if)# authentication event fail retry 0 action next-method</P> <P>switch(config-if)# dot1x pae authenticator</P> <P>switch(config-if)# authentication port-control auto</P> <P>switch(config-if)# spanning-tree portfast</P> <P>switch(config-if)# authentication control-direction in</P> <P>switch(config-if)# <STRONG>authentication order mab dot1x</STRONG></P> <P>switch(config-if)# <STRONG>authentication priority dot1x mab</STRONG></P> <P>switch(config-if)# ip access-group <STRONG>ACL-PRE-AUTH</STRONG> in</P> <P>switch(config-if)# authentication open <STRONG>!!!!!Used for Monitor Mode</STRONG></P> <P>switch(config-if)# authentication violation restrict</P> <P>switch(config-if)# dot1x timeout tx-period 10</P> <P>switch(config-if)# authentication periodic</P> <P>switch(config-if)# authentication timer reauthenticate server</P> <P>SWITCH(config-if)# authentication timer inactivity server dynamic</P> <P>switch(config-if)# authentication host-mode multi-domain</P> <P>switch(config-if)# mab</P> <P>switch(config-if)# authentication event server dead action reinitialize vlan CRITICAL_VLAN</P> <P>switch(config-if)# authentication event server dead action authorize voice</P> <P>switch(config-if)# authentication event server alive action reinitialize</P> <P>&nbsp;</P> <P>when the reauth timer expires (60 minutes) our Dot1x windows machines are dropping into the default MAB Authz policy which is a known issue. As per the <A href="https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028" target="_blank">flexible auth document</A> , “if you do perform reauthentication, reauthentication always returns to the first method (MAB).”</P> <P>&nbsp;</P> <P>We can use Cisco AV Pair = “termination-action-modifer=1” to instruct switch to use the last successful method. This does not seems to work with Catalyst 2960X running Version 15.2(6)E1.</P> <P>&nbsp;</P> <P>Also I did not find much information for the same on Cisco documents. As this is not supported by some devices. We enabled Advance settings for the supplicant, which seems to fix this issue, Below is a screenshot of the group policy config that does seems to fix the issue.</P> <P>&nbsp;</P> <P>&lt;Please refer the attachment&gt;</P> <P>&nbsp;</P> <P>I would like to ask for your advice, should we suggest customer to proceed with the above settings for supplicants “advance security settings enabled” or do we have any other workaround which can force switch re-authentication to use dot1x for dot1x capable devices?</P> <P>&nbsp;</P> <P>Appreciate&nbsp; your assistance on this,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks and Regards,</P> <P>Parm</P> Wed, 06 Mar 2019 00:16:42 GMT https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3814610#M484542 parmsing 2019-03-06T00:16:42Z https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3814737#M484544 <P>Hi,</P> <P>&nbsp;</P> <P>I run into the same nightmare with order mab dot1x&nbsp;&nbsp; and priority dot1x mab by facing intermittent loops especially if you get authenticated with mab, then after few minutes the endpoint sends eapol start packet.</P> <P>&nbsp;</P> <P>As an advice use order dot1x mab.&nbsp; if you are afraid of DHCP timeout, you can reduce the dot1x tx timeout period to lets say 4 sec , like this after maximum 12 sec if shifts to the next method if the first fails.</P> <P>&nbsp;</P> <P>Also put the reauthenticate timer to higher value than 60 min.</P> <P>&nbsp;</P> <P>I hope this helped, knowing that this is not exactly your question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Wed, 06 Mar 2019 07:57:59 GMT https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3814737#M484544 bern81 2019-03-06T07:57:59Z https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3817743#M484548 <P>Thanks Mate,</P> <P>&nbsp;</P> <P>Yes reversing order is another option but I was wondering is changing advance settings for dot1x is going to address this issue permanently or temporarily and if this is suggested by ISE Team.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Parm</P> Tue, 12 Mar 2019 02:22:08 GMT https://community.cisco.com/t5/network-access-control/re-authentication-for-wired-dot1x/m-p/3817743#M484548 parmsing 2019-03-12T02:22:08Z