topic Re: dot1x/mab behaviour with flexauth in Network Access Control

dot1x/mab behaviour with flexauth

bern81 — Fri, 08 Feb 2019 11:56:54 GMT

Dear all,

we have the following 802.1x config on our 802.1x switchport:

dot1x system-auth-control

interface FastEthernet0/8
description Bay_38_A036
switchport access vlan 238
switchport mode access
switchport nonegotiate
load-interval 30
authentication event fail action next-method
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 90
authentication timer reauthenticate 60
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable.

On this port we have win10 endpoint with eap-tls configured.

I produced and error by removing the CA-cert that signed the identity certificate of the ISE from this endpoint.

When i shut/no shut the interface i see the following behaviour:

debug radius authentication

MAB starts and after approx 1/2 sec 802.1x starts (i presume the switch receives an EAPoL Start from the endpoint.

Dot1X fails and after 20 sec (10x (1+1)) it tries dot1x and timeouts.

But we don't see any failover to MAB as next-method.

SW130_A038#sh authentication sessions int f0/8
            Interface: FastEthernet0/8
          MAC Address: Unknown
           IP Address: Unknown
               Status: Running
               Domain: UNKNOWN
       Oper host mode: single-host
     Oper control dir: both
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A000C82000014EAAC2E4252
      Acct Session ID: 0x0001F8EC
               Handle: 0xF40004D8

Runnable methods list:
       Method   State
       mab      Running
       dot1x    Not run

and the port stays in this state forever. i don't see on the port any "restart timer" kicking off.

============================================================================

If i modify this cmd:

int f0/8

authentication event fail retry 1 action next-method

and i bounce the port:

MAB starts and after approx 1/2 sec 802.1x starts (i presume the switch receives an EAPoL Start from the endpoint.

Dot1X fails and after 20 sec (10x (1+1)) it tries dot1x and timeouts.it directly performs a failover to the next-method (MAB) and authenticate and authorize successfully.

SW130_A038#sh authentication sessions int f0/8
            Interface: FastEthernet0/8
          MAC Address: 4c52.620c.3a37
           IP Address: Unknown
            User-Name: 4C-52-62-0C-3A-37
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: 60s (local), Remaining: 12s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: 0A000C82000014ECAC3E4816
      Acct Session ID: 0x0001F906
               Handle: 0xDA0004F3

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

And it periodically reauthenticate via MAB every 60sec (timer reauthenticate 60).

Is this behavior normal ? and why in the first config it is not failing over to the enxt method?

Am i missing something?

WS-C2960+24TC-S 15.0(2)SE6 C2960-LANLITEK9-M

Please advise what normally should be the correct behavior and if there is something wrong in the configuration/timers.

PS: we are using order MAB Dot1x because at the beginning we will have empty endpoints that will be provisioned via PXE boot.

After the installation is successful the Win10 machine will have a pre-installed configuration with EAP-TLS and all the required digital certs in the cert store.

Many thanks in advance

Re: dot1x/mab behaviour with flexauth

paul — Fri, 08 Feb 2019 20:01:34 GMT

Your first test was invalid:

SW130_A038#sh authentication sessions int f0/8
            Interface: FastEthernet0/8
          MAC Address: Unknown
           IP Address: Unknown
               Status: Running
               Domain: UNKNOWN

Nothing happens until the MAC address is learned on the port. You have to map out the behavior after the MAC address is learned. I don't ever do "order mab dot1x" as that can have other issues, but if it is working for you and your deployment continue to use it.

Re: dot1x/mab behaviour with flexauth

howon — Fri, 08 Feb 2019 20:02:14 GMT

I would not test missing certificate as failed scenario as Windows supplicant tends to keep on trying even when the supplicant lacks the certificate. Rather try to force supplicant to untrust ISE certificate instead for failure trigger. Remove 'authentication timer reauthenticate 60' and 'authentication periodic' as it is too frequent for reauth.

Re: dot1x/mab behaviour with flexauth

paul — Fri, 08 Feb 2019 20:06:18 GMT

authentication periodic is fine, but use "authentication timer reauthenticate server" and set the reauthentication timer in ISE. I usually set my reauth timer to 65,000 seconds in ISE.

Re: dot1x/mab behaviour with flexauth

bern81 — Mon, 11 Feb 2019 07:49:39 GMT

Hi Paul,

I lowered down the reauthentication timers just for lab purpose.

This is weird to me why it is not learning the MAC and why when i add retry 1, it start working.

Re: dot1x/mab behaviour with flexauth

bern81 — Mon, 11 Feb 2019 07:55:12 GMT

Hello Hosuk,

this is exactly what i did.

I removed the ISE-CA cert from the windows "Trusted root certificate store" to make the supplicant untrust the ISE-Cert.

This issue here is that for some reason MAB is not working unless i add the retry 1 cmd which makes no sense at all.

Could it be a bug ?

Regarding the timers, i lowered them just for Lab purpose.

Thank you in advance.

Re: dot1x/mab behaviour with flexauth

hslai — Mon, 11 Feb 2019 14:40:12 GMT

It might be specific to your switch platform model and IOS release train. authentication event fail shows the command default is that,

Authentication is attempted two times after the initial failed attempt.

If you suspect it a bug, please open a TAC case so that TAC may help recreating it and gather the debugging info from the switch.

Re: dot1x/mab behaviour with flexauth

bern81 — Mon, 11 Feb 2019 14:50:39 GMT

Hi Hslai,
Just to clarify things since the switch behavior is confusing me and i don't know anymore the correct behaviour.
authentication event fail action next-method
in my config with order MAB Dot1X (with Failed Dot1X) what should it do?
If you can name the timers involved it would be great.

Thank you in advance.

Re: dot1x/mab behaviour with flexauth

bern81 — Wed, 13 Feb 2019 15:56:19 GMT

One more question regarding this topic: I have some switches with IOS Version

WS-C2960+24LC-S 15.2(2)E6 C2960-LANLITEK9-M

on the interface level i don't see "authentication event fail server" command.

Is there any alternative to configure something similar to:

authentication event server dead action authorize vlan 238
authentication event server alive action reinitialize

To put the interface into critical Vlan in case ISE are dead?

Or do i have to upgrade the IOS ?

Re: dot1x/mab behaviour with flexauth

bern81 — Wed, 13 Feb 2019 16:02:40 GMT

Re: dot1x/mab behaviour with flexauth

hslai — Sat, 16 Feb 2019 17:54:06 GMT

Demystifying RADIUS Server Configurations - Cisco explains about various timers.

Your switch is C2960-LANLITEK9-M, which might have limited support on the features. Please check with the switch platform support teams.