topic Re: Authentication session freeze 802.1x in Network Access Control

Authentication session freeze 802.1x

muhammadtalha — Mon, 29 Jan 2024 05:26:47 GMT

Dear All,

I am facing an issue with my 802.1x wired implementation. The authentication settings on endpoint is computers or users because ise allows domain users and domain computers network access. The issue is that when the user logs out of their pc, after a while when no user is logged in, the pc will not get network access and also in ise I can not see any live session for that pc. When I do show mac address, I can only see the mac address of the IP Phone and not the mac address of the PC, and when I do show authentication session I can see the mac address of the endpoint there but and the status is unauth.

The switch keeps logging dot1x failed for client with mac address (endpoint mac address), which is weird because I do not see the mac address of the endpoint on the interface and also I do not see any log of the mac address in ise live logs.

To solve this issue, I have to manually clear auth session etc, but I do not understand what exactly is happening here. I read the documentation of 802.1x implementation but did not find anything related.

Re: Authentication session freeze 802.1x

Arne Bier — Mon, 29 Jan 2024 06:20:51 GMT

This might be an issue with session management on the switch - if the MAC address is gone, then it could be that the switch has cleared the session because the PC has not sent an Ethernet frame within the Inactivity-Timer period.

can you share your switch interface config:

show derived-config interface <interface> show run | section device-tracking policy

Are you using IBNS 2.0? If so, can you share your policy map? If so, please show us these - and also your Service Template that sets the Inactivity-Timer

show policy-map type control subscriber <name of policy map> show run | section service-template IA-TIMER

Re: Authentication session freeze 802.1x

muhammadtalha — Mon, 29 Jan 2024 06:23:19 GMT

Thanks for your response, I am not using device-tracking policy and also I am using IBNS 2.0.

Re: Authentication session freeze 802.1x

Arne Bier — Mon, 29 Jan 2024 06:32:08 GMT

Device-Tracking is required for NAC to work as expected. It's not something you want to avoid or not configure correctly.

Have a good look at this Guide from Cisco - it's the best starting point for checking that you have all your ducks in a row.

Re: Authentication session freeze 802.1x

muhammadtalha — Mon, 29 Jan 2024 06:43:41 GMT

I tried configuring device tracking on 2960X 15.2(2) E3 but the switch does not support this command. However, when I do IP device tracking interface, I can see the mac address of the IP Phone and vlan of the IP Phone and nothing related to the endpoint vlan or mac address and also the show auth session still has the mac address of the endpoint and is still unauth.

Gi3/0/16 (MAC ADDRESS) N/A UNKNOWN Unauth C0A837170000037F3E7076DD

Re: Authentication session freeze 802.1x

Arne Bier — Mon, 29 Jan 2024 21:48:40 GMT

Check this out first.

We're not clairvoyant. Garbage in, garbage out.