topic Re: 802.1x timeout log in Network Access Control

802.1x timeout log

peter.matuska1 — Mon, 06 Mar 2023 10:10:01 GMT

Hi,

The switch 9200L, 17.06.04 has 802.1x enabled. I noticed in the logs that sometimes the 802.1x doesn't finish correctly and the log on the ISE says: 5440 Endpoint abandoned EAP session and started new, the switch log is: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MAC address) with reason (Timeout) on Interface Gi3/0/35 AuditSessionID 043410AC0000E5C0B633FC57 Username: host/hostname.domain.com

The question is whether this is timeout is caused by the PC or by the switch. The PC has native windows supplicant using EAP-TLS.

thank you

Re: 802.1x timeout log

balaji.bandi — Mon, 06 Mar 2023 10:31:23 GMT

is this for only 1 client or all of them having same issue ? and is this worked on any other switch ? all the switches having same issue ?

what is the version of ISE ? - does the switch has reachability to ISE and what Logs you see on ISE ?

how is your configfuriaton on the switch AAA and port config ?

dot1x timeout tx-period XX ?what timeout config you have here ?

Re: 802.1x timeout log

peter.matuska1 — Mon, 06 Mar 2023 10:42:02 GMT

Hi,

ISE 2.6, patch 12. I noticed that the same issue/log is for more than 1 endpoint and more than 1 switch. Yes, I checked the switch and it has connectivity to ISE, there is no log regarding RADIUS server down.

Re: 802.1x timeout log

balaji.bandi — Mon, 06 Mar 2023 11:03:29 GMT

if you connect same device or user other switch that works ?

For testing any device you know having issue, try to increase the time ?

dot1x timeout tx-period X
dot1x timeout supp-timeout X

Re: 802.1x timeout log

peter.matuska1 — Mon, 06 Mar 2023 11:08:50 GMT

Hi,

I think it will be the same. I will try to modify the timeout on the intefaces.

Re: 802.1x timeout log

MHM Cisco World — Mon, 06 Mar 2023 11:41:31 GMT

Gi3/0/35 <<- the log for this Port is appear when PC connect AND active or connect not active
I think this is normal when PC connect not active
the ISW/ISE will reauth the connect device, if the device not reply then SW/ISE will unauthz the port.
that it no need to change the default timeout if the case is same of above

Re: 802.1x timeout log

Tariq Mahmoud — Mon, 06 Mar 2023 11:34:50 GMT

1. The log from ISE Indicates that the endpoint is not responding. If you check the steps in the detailed live log you will notice that ISE sends an Access-Challenge and that it gets no response for this access challenge.

2. The log from the switch Indicates that the supplicant (PC) is timing out, the switch sends requests to the supplicant but the supplicant never responds during the time window.

This has two possibilities:
1. The supplicant is indeed not responding because of an issue with the supplicant or the protocol flow, you are using machine authentication host/hostname.domain.com maybe the PC was put to sleep or something?

2. The timers configured on the switch are misconfigured.

I believe it would be point#1 because if the timers are the issue then you would face this on a larger scale and more frequently.

Re: 802.1x timeout log

peter.matuska1 — Mon, 06 Mar 2023 11:53:07 GMT

Hi, last time the customer reported the issue was when PC was turned on (not from sleep) and machine and user authentication failed during the boot up and login process. Once the customer unplugged and plug the cable back to the PC, the authentication finished correctly.

Re: 802.1x timeout log

MHM Cisco World — Mon, 06 Mar 2023 12:16:24 GMT

and this will happened each time the Sleep->active time is less than auth timeout.
the solution for me is use inactivity timeout <<- use this timeout only for this user port and monitor the issue.

Re: 802.1x timeout log

Aref Alsouqi — Mon, 06 Mar 2023 16:23:29 GMT

That issue is most likely related to the endpoint, not the switch nor ISE. I came across similar issues and managed to fix them by updating the NIC drivers.

Re: 802.1x timeout log

balaji.bandi — Mon, 06 Mar 2023 18:26:05 GMT

Also you need to collect end device information which was failing - especially NIC cards used.

Some Intel NIC cards having this issue,

Re: 802.1x timeout log

hslai — Sun, 12 Mar 2023 04:43:12 GMT

@peter.matuska1 I agree with most of the responses here, especially Aref's. It might worth to troubleshoot further, e.g, by using one of these guides: