Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

Madura Malwatte — Fri, 23 Apr 2021 14:34:29 GMT

I hit this behaviour while a typo was made putting in 802.1x config to a cisco 2960x switch running 15.2(2) with IBNS 2.0.

A typo was made when putting in the following two lines of config below, instead of ISE_RADIUS I had ISE_RADIUSB which obviously didn't exist as a radius group in my config:

aaa authorization network default group ISE_RADIUSB

aaa authorization auth-proxy default group ISE_RADIUSB

So afterwards, some devices then didnt seem to get authorized and I saw the following:

Switch#show access-s int gig 1/0/24 de

Interface: GigabitEthernet1/0/24

MAC Address: a023.abcd.2f3c

IPv6 Address: Unknown

IPv4 Address: 10.10.1.2

User-Name: a023abcd2f3c

Status: Unauthorized

Domain: UNKNOWN

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Periodic Acct timeout: N/A

Session Uptime: 71607s

Common Session ID: 0AF23215000002BE5F0DE098

Acct Session ID: Unknown

Handle: 0x75000006

Current Policy: DOT1X-DEFAULT

Local Policies:

OPEN DIR ACL: Open-Dir-ACL

Method status list:

Method State

dot1x Stopped

mab Authc Failed

After fixing up the typo in my config, the endpoints seemed to indefinitely remain in this "Authc Failed" state. I went and then manually cleared the access-session, then the endpoint was able to be authorized correctly.

Switch#clear access-session int gig 1/0/24

Switch#show access-s int gig 1/0/24 de

Interface: GigabitEthernet1/0/24

MAC Address: a023.abcd.2f3c

IPv6 Address: Unknown

IPv4 Address: 10.10.1.2

User-Name: A0-23-AB-CD-2F-3C

Status: Authorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Session timeout: N/A

Restart timeout: N/A

Periodic Acct timeout: 172800s (local), Remaining: 172744s

Session Uptime: 85s

Common Session ID: 0AF23215000002D56352E1C5

Acct Session ID: 0x00001F6E

Handle: 0xC700000D

Current Policy: DOT1X-DEFAULT

Local Policies:

OPEN DIR ACL: Open-Dir-ACL

Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Method status list:

Method State

dot1x Stopped

mab Authc Success

My c3pl policy has the following classes when MAB fails, in particular "authentication-restart 60":

40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60

So I was expecting this authentication restart will kick in after 60 seconds of getting into a failure state, but it never happened, and the endpoint got stuck. Am I missing something here?

Re: Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

MHM Cisco World — Sat, 24 Apr 2021 00:34:57 GMT

authorization auth-proxy ? what is you config here are you config HTTP proxy ?

Re: Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

hslai — Mon, 03 May 2021 03:39:46 GMT

Please make sure to use the latest or recommended IOS code for the NAD. If the issue persists, please engage Cisco TAC to log a bug.

Do also check the EOL announcement -- End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 2960X Product Family End of Sale

topic Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize in Network Access Control

Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

Re: Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize

Re: Wired 802.1x endpoints stuck in Unauthorized mab Authc Failed and unable to re-authorize