topic Re: VLAN Toggle issue during 802.1x authentication. in Network Access Control

VLAN Toggle issue during 802.1x authentication.

network_geek1979 — Mon, 09 Jan 2023 11:53:51 GMT

Folks,
We have seen some challenges with 802.1x authentications. The challenge is that authentications work but then during normal operation the 802.1x authentication fails for some reason and the PC goes in the Guest VLAN(or the default VLAN).

We are clueless on why this behavior is being seen. This is seen on Windows/MAC books and even at times on machines which do not have a docking stations.

Our switch port configuration is pretty straightforward. Here is it:

interface GigabitEthernet4/4
switchport access vlan 3
switchport mode access
switchport voice vlan 8
switchport port-security maximum 8
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
ip device tracking probe interval 30
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 300
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
end

VLAN 3 is the production VLAN which the end user must get if the correct user certificate is present.
It works with the correct certificate being presented, but then for whatever reasons during the day toggle between Production VLAN and Guest VLAN keeps happening.

We tried changing the "dot1x timeout tx-period 5" to "dot1x timeout tx-period 10" but this does not help as well.

Any suggestions?

Regards,
N!!

Re: VLAN Toggle issue during 802.1x authentication.

MHM Cisco World — Mon, 09 Jan 2023 11:59:59 GMT

are you sure that the Radius/Tacacs/ISE server is alive when this happened ?

Re: VLAN Toggle issue during 802.1x authentication.

Rob Ingram — Mon, 09 Jan 2023 12:01:22 GMT

@network_geek1979 port security and dot1x configured on the same interface is not supported nor needed, please remove and retest. Can you provide the output of "show run aaa"

Re: VLAN Toggle issue during 802.1x authentication.

network_geek1979 — Tue, 10 Jan 2023 09:15:40 GMT

Yes, we are 100% sure that the radius server is active.

Re: VLAN Toggle issue during 802.1x authentication.

network_geek1979 — Tue, 10 Jan 2023 11:44:14 GMT

Hi, I have it pasted below. (IP addresses are just changed)

*******************************************************

switch#sh run aaa
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ none
aaa authorization network default group radius
aaa authorization configuration default group tacacs+
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands
aaa authorization console
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin privilege 15 password 7 009988776655
!
!
!
!
aaa server radius dynamic-author
client 1.1.1.1 server-key 7 AOAOAOAOAOAO
client 2.2.2.2 server-key 7 BOBOBOBOBOBO
client 3.3.3.3 server-key 7 COCOCOCOCOCO
client 4.4.4.4 server-key 7 DODODODODODO
client 5.5.5.5 server-key 7 EOEOEOEOEOEO
!
!
radius server server1.mydomain.com
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 11223344ABCDE445566
!
radius server server2.mydomain.com
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 11223344ABCDE445566

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server deadtime 10
tacacs server tac01
address ipv4 8.8.1.1
key 7 1122334455667788
tacacs server tac02
address ipv4 9.8.1.1
key 7 1122334455667788
tacacs-server directed-request
!
aaa group server radius NACGROUP
server name server1.mydomain.com
server name server2.mydomain.com
!
!
!
aaa new-model
aaa session-id common
!
!

switch#

Re: VLAN Toggle issue during 802.1x authentication.

MHM Cisco World — Wed, 11 Jan 2023 19:20:38 GMT

Hi Friend sorry for late reply,
I build my own model for 802.1x I start this model one half year ago and until now I dont finish it, hope finish it soon.
anyway
the first auth assign the client right VLAN,
the second auth assing wrong VLAN, but why ?
I have theory but I want from you try it in one port and if it success then use it in other port.
my theory is that you config inactivity time 300, this make SW not authz, now after the client active again the SW start new auth process, the client exchange the right secret and SW forward it to radius server,
but here the issue, if the SW when it not authz the port NOT send message to radius to make it know that client is not available then the radius still have client in db.
what we need
we need change inactivity to be reauth and make server assign the reauth timeout.

authentication timer reauthenticate {seconds | server}