topic dot1x timers + static mac aging = connectivity issue in Network Access Control

dot1x timers + static mac aging = connectivity issue

mariya.telitsina — Thu, 13 Oct 2022 09:51:25 GMT

Hello,

I have dot1x enabled on all ports including those to which APs connected.

My scheme is like this:

clients -- Access Point -- Access Switch -- Access Switch -- Access Point -- Clients

when a client moves from one AP to another, his mac address stays in MAC table of a switch forever since it's secure and static.
so when the client tries to authenticate on another AP, he gets an IP address, gets authenticated via dot1x or MAB but he can never get any connectivity until I clear dot1x authentication session for his mac-address.
Does it has something to do with Static mac address aging or dot1x session aging?
I have configured these two commands but it doesn't seem to help.
authentication timer reauthenticate 300
authentication timer inactivity 180
I also have authentication mac-move permit enabled globally.
this issue is happening with wired clients also, not only with wireless. So I'm suspecting it is a static mac address issue.

I do not have a port security enabled, only DAI, but I tried to turn it off while t-shooting.

CAT-NAU-F5-2#sh mac address-table interface gi1/0/37 - this is a port where Access Point is connected
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1150 00bb.606a.933e STATIC Gi1/0/37
output ommited................................
1150 f8e4.e3d2.f2d0 STATIC Gi1/0/37
Total Mac Addresses for this criterion: 158 - those mac addresses never clear out since it is all static.
CAT-NAU-F5-2#

interface GigabitEthernet1/0/37
description Cisco-AP
switchport access vlan 1150
switchport mode access
switchport voice vlan 357
ip arp inspection limit rate 64
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
authentication timer inactivity 180
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
no cdp enable
spanning-tree portfast
end

my version is 122-55.SE12 3750v2

any advice is appreciated!

Re: dot1x timers + static mac aging = connectivity issue

ahollifield — Thu, 13 Oct 2022 11:37:59 GMT

Are your APs in FlexConnect or local mode. This is expected when you are running FlexConnect. You should not be performing 802.1X authentication on FlexConnect APs. What is the use-case for this? I suppose you could change your auth method to multi-host:

authentication host-mode multi-host

That would first authenticate the AP and then all subsequent clients will be permitted without an authentication attempt.

Re: dot1x timers + static mac aging = connectivity issue

mariya.telitsina — Thu, 13 Oct 2022 12:04:46 GMT

thank you for your reply, it is in FlexConnect mode indeed. The thing is that we want everyone to be authenticated via dot1x, both wireless AP and clients. is it not possible?

so I have two options: local mode+dot1x or flexconnect with multihost mode?

Re: dot1x timers + static mac aging = connectivity issue

ahollifield — Thu, 13 Oct 2022 12:20:58 GMT

So your clients are being authenticated twice, once to join the wireless network (802.1X) and once to the switch port (I am assuming MAB). Not a good user experience and one that for sure will lead to roaming and other wireless issues.

Why do you want to have authentication enabled on your AP ports? Why? Compliance reason? Is the AP actually authenticating to ISE using 802.1X?

Yes, those are your two options, if your controller is local (at the same site) to your APs, it would be recommended to use local mode.

The way I see your options:

Disable ISE authentication on the AP Ports
Switch APs to local mode and leave ISE authentication enabled
Change to multi-host mode and leave FlexConnect

Re: dot1x timers + static mac aging = connectivity issue

mariya.telitsina — Thu, 13 Oct 2022 12:57:53 GMT

thanks a lot for your reply, that is really helpful.

i did some googling 🙂 and this is a guide for configuring flexconnect+dot1x in case someone else would also need it.

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html