topic Re: Dot1x NAC reauthentication issue in Network Security

Dot1x NAC reauthentication issue

cheaseung — Fri, 21 Feb 2020 09:41:02 GMT

Hi,

i setup a test LAB with NAC Dot1x Framework, and i facing an issue where by the port keep on repeating triger reauthntication, althought the next reauthentication is not yet reach, i try configure re-authperiod to using local rather than radious server or event disable the reauthentication but the result is still the same

my lab is using a Cat3560 event upgrade with latest IOS ver c3560-advipservicesk9-mz.122-40.SE but is still the same

when show dot1x interface detail i notise the next re-auth is still alot of sec, but out of sudden the port juz reauthenticed, whereby the CAT detail show status reauthenticating,

CAT version 2.1.103.o with supplicant bundle.

i event try to modify the ctad.ini

SQTimer and all this make no difference

thx

Re: Dot1x NAC reauthentication issue

jafrazie — Fri, 14 Sep 2007 04:17:06 GMT

Can you verify the source of your unexpected re-auth?

If it's the supplicant, you'll see an EAPOL-Start on the wire to initiate it (or maybe an EAPOL-Logoff, but unlikely).

If it's the switch, you'll see an EAPOL-Id-Request frame on the wire from the switch to the supplicant to initiate it.

Thanks,

Re: Dot1x NAC reauthentication issue

cheaseung — Sat, 15 Sep 2007 09:16:16 GMT

Hi jafrazie,

i didn't saw EAPOL-Start or EAPOL-Logoff Request from the debug dot1x packet

in debug dot1x all it show

.Sep 15 12:16:43: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticator instance on GigabitEthernet0/41

.Sep 15 12:16:43: dot1x-sm:Posting REAUTHENTICATE on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_authenticated, got event 18(reAuthenticate)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_authenticated -> auth_restart

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_exit called

.Sep 15 12:16:43: dot1x-sm:dot1x_auth_stop_reauth_timer called for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_enter called

.Sep 15 12:16:43: dot1x-ev:Sending create new context event to EAP for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_restart_action called

.Sep 15 12:16:43: dot1x-sm:Posting !EAP_RESTART on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_restart, got event 6(no_eapRestart)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_restart -> auth_connecting

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_connecting_action called

.Sep 15 12:16:43: dot1x-packet:Received an EAP request packet from EAP for mac 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Posting RX_REQ on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_connecting, got event 11(eapReq_no_reAuthMax)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_connecting -> auth_authenticating

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticating_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_authenticating_action called

.Sep 15 12:16:43: dot1x-sm:Posting AUTH_START on Client=31CC01C

iz switch itself genarate the re-auth itself

what could cos this?

could it be something wrong with my config, i do try without NAC, just purely dot1x authentication with original winXP SP2 is still the same

thx,

LIMCS

Re: Dot1x NAC reauthentication issue

jafrazie — Mon, 17 Sep 2007 22:18:49 GMT

Your psec configuration is most likely tripping a re-auth on you every minute. OUY could set the aging criteria to inactivity, or ..

I would humbly recommend disabling psec in this scenario. 1X itself will limit the port to only a single MAC anway, and there's no such thing as aging for it really .. after all, that's why you might want re-auth for to begin with.

Hope this helps,

Re: Dot1x NAC reauthentication issue

cheaseung — Mon, 17 Sep 2007 23:45:15 GMT

hey jaffrazie,

thx alot, u r so great

Dot1x NAC reauthentication issue

cirimpei costel — Fri, 17 May 2013 13:08:12 GMT

Thank you, man. I solved my issue )))