Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
2
Replies

802.1x authentication failed records could not disappeared

yangsonggui
Level 1
Level 1

‎09-02-2015 01:38 AM - edited ‎03-10-2019 11:01 PM

I am running Cisco ACS( Version : 5.4.0.46.0a)  802.1x with certificate based authentication for Wired connections. the issus is i found some authentication failed messages in some switch port. when I troubleshooting in ACS, it is an error: "22056 Subject not found in the applicable identity store(s). : Authentication failed ". but I could not find the MAC address on this port.  the authentication failed message should disappeared after 60 seconds normally it the device pull out the cable. but i found the authentication failed session always in the switch and the ACS. 

for example:

in the port Gi1/0/15, there has an Avaya phone and a PC authentication success, but there has another MAC address failed. it was strange the this port did not connect any other device. so i am so confused about this situation. i tried to add one command :"authentication timer inactivity 30", but it seem like no use.

switch#show authe se | inc Gi1/0/15
Gi1/0/15   90b1.1c9b.d9c4  dot1x    DATA     Authz Success  0A19F5820001536935ED8383
Gi1/0/15   24d9.214e.39be  dot1x    VOICE    Authz Success  0A19F5820001452D31ECA0FD
Gi1/0/15   8c70.5a29.39be  dot1x    DATA     Authz Failed        0A19F582000150163568626F
switch#show mac add | inc Gi1/0/15
 100    90b1.1c9b.d9c4    STATIC      Gi1/0/15
 300    24d9.214e.39be    STATIC      Gi1/0/15

switch#show run int Gi1/0/15
Building configuration...

Current configuration : 540 bytes
!
interface GigabitEthernet1/0/15
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 300
 duplex full
 authentication event server dead action reinitialize vlan 100
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication port-control auto

 authentication timer inactivity 30
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 storm-control broadcast level 5.00
 spanning-tree portfast
 spanning-tree bpduguard enable

 

switch module: WS-C3750X-48PF-S

switch IOS: c3750e-universalk9-mz.150-2.SE4.bin

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Peter Koltl
Level 7
Level 7

‎09-02-2015 01:36 PM

It must have been the Avaya phone before learning the voice VLAN.

0 Helpful

yangsonggui
Level 1
Level 1
In response to Peter Koltl

‎09-02-2015 11:10 PM

Thanks Peter.

you mean the addtional MAC belongs to the Avaya phone? but the problem is why this failure authentication session could not clear automatically?  and i could find the mac address int the mac address table.

0 Helpful
Customers Also Viewed These Support Documents