topic Re: Unknown behavior of authentication timer and attempts in Network Access Control

Unknown behavior of authentication timer and attempts

Marco__89 — Fri, 24 Jun 2022 14:37:40 GMT

Hi all,

i'm stuck understanding how the authentication timer and attempts work with 802.1X. I'm using catalyst switch 3850 (OS XE 16.5.1a). The interface config is the following

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 device-tracking attach-policy DeviceTrackingPolicy
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
end

and the config of dot1x PAE is the following

PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 3
MaxReq                    = 2
TxPeriod                  = 7

As you can see from the reported figure, the total authentication attempts are 2 (with 3 attempts of re-authentication). Also the time period between an EAP failure and the next attempts is equal to 60 seconds.

Does anybody know hot to configure this 2 type of parameters?

Re: Unknown behavior of authentication timer and attempts

Marcelo Morais — Mon, 27 Jun 2022 20:11:21 GMT

Hi @Marco__89 ,

please take a look at the following:

(config-if)# dot1x max-reauth-req 3
(config-if)# authentication event fail retry 2
(config-if)# dot1x timeout tx-period 7
(config-if)# dot1x timeout quiet-period 60 >> the default

in this example the SW sends the following Messages to ISE:
1x Authentication Request
3x Reauthentication Message (dot1x max-reauth-req command)
2x Retries (authentication event fail retry command)
So the Total Messages sent by the SW are: (1 + 3) * 2 = 8.

Note: the Quiet Period default value is 60 sec (the time interval that the device remains in a quiet state following a failed Authentication exchange)

Hope this helps !!!

Re: Unknown behavior of authentication timer and attempts

Marco__89 — Tue, 28 Jun 2022 09:36:56 GMT

Thanks Marcelo for the reply.

I changed a bit the config:

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 707
 device-tracking attach-policy DeviceTrackingPolicy
 authentication event fail retry 3 action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 10
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 dot1x max-reauth-req 3
 spanning-tree portfast
end

Here i reported the authentication process.

Until packet n. 1498, PC is trying to connect with its windows native 802.1x supplicant. ISE (and therefore the switch) send to it an access-reject (failure eap message). At this point the switch send:

1 Access-Request (authentication message)
3 Reauthentication Attempt messages

After this 4 messages, the switch sends an EAP failure beacause he didn't receive any response from the PC. Note that the PC doesn't respond because (this is mine hypotheisy) its supplicant is in a timeout state and therefore it doesn't respond for a time interval period (i can not find its value neither from windows configuration nor from web forum). After 10 seconds (value of restart timer) it begins the process (sending 4 messages). After that, the switch try to use MAB and doing so it is able to authenticate the user.

In this case the quiet period timer (that i configured with 18 seconds) dosen't beeing used. Instead the restart timer is used.

Also i configured (as you sad) the number of attempts with

authentication event fail retry 3 action next-method

However, as you can see, the switch used 2 attempts to authenticate the PC. Trying also to change this value to 4,5,6 the behaviour is the same as reported in the figure.

Can you explain to me this 2 behavior? Thanks!

Re: Unknown behavior of authentication timer and attempts

Marcelo Morais — Wed, 29 Jun 2022 05:45:52 GMT

Hi @Marco__89 ,

1st: the changes are:

interface GigabitEthernet1/0/46
 switchport voice vlan 707
 authentication event fail retry 3 action next-method
 authentication timer restart 10
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 spanning-tree portfast

2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.

3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.

4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."

Try to change the dot1x max-eap-req command from the default 2 to other value.

Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.

Hope this helps !!!