Problem with 802.1x on C2960S-48TS-L

zuev_oleg — Tue, 19 Oct 2021 13:14:36 GMT

Sometimes after rebooting device connected to 801.x port this device successfully perfoming 802.1x authentication

Oct 19 13:29:27.869 MSK: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/23, changed state to down
Oct 19 13:29:28.980 MSK: %AUTHMGR-5-START: Starting 'dot1x' for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:30.831 MSK: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/23, changed state to up
Oct 19 13:29:30.836 MSK: %DOT1X-5-SUCCESS: Authentication successful for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:30.889 MSK: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:31.832 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/23, changed state to up

Gi3/0/23     1060.4b76.0515 dot1x   DATA    Auth      00000000000023C057D460F9

But port blocking any traffic to/from this device.

After wait a few minutes - starting new "Auth" session and this port is working normally

Oct 19 13:36:32.462 MSK: %AUTHMGR-5-START: Starting 'dot1x' for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729
Oct 19 13:36:32.656 MSK: %DOT1X-5-SUCCESS: Authentication successful for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729
Oct 19 13:36:33.270 MSK: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729

If i shudown/no shutdown or reconnect ethernet wire - starting a new "Auth" sesssion and port working fine.

Port configuration:

interface GigabitEthernet3/0/23
 description ### Universal WorkPort ###
 switchport access vlan 42
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 400
 switchport port-security maximum 3
 switchport port-security violation  restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 ip arp inspection limit rate 50
 authentication event fail action authorize vlan 997
 authentication event no-response action authorize vlan 997
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication timer inactivity 15
 mab
 mls qos trust device cisco-phone
 dot1x pae authenticator
 storm-control broadcast level 1.50
 storm-control action shutdown
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 100

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(2)E9, RELEASE SOFTWARE (fc4)

On another switch models this configuration working without problems.

Any idea how to fix this?

Re: Problem with 802.1x on C2960S-48TS-L

Greg Gibbs — Tue, 19 Oct 2021 21:29:04 GMT

The first thing you should try is removing the 'switchport port-security' configuration from the switchport. It is not compatible with the mab/dot1x NAC features running on the same switchport and can cause race conditions and unpredictable behaviour.

The same is true of any Catalyst switch model.

Re: Problem with 802.1x on C2960S-48TS-L

zuev_oleg — Wed, 20 Oct 2021 10:53:51 GMT

Removing 'switchport port-security' configuration not helped.

PS. If remove port-security configuration - how to defend from 'mac flooding' type attack?

topic Re: Problem with 802.1x on C2960S-48TS-L in Network Access Control

Problem with 802.1x on C2960S-48TS-L

Re: Problem with 802.1x on C2960S-48TS-L

Re: Problem with 802.1x on C2960S-48TS-L