802.1x Authentication fails after Session Timer Expires

EricLu · ‎10-07-2024

Hi folks,

TECH USED:

Cisco ISE 3.2 Patch 6

Cisco Switch with aaa capabilities

3rd party Endpoint

SCENARIO:

We are trying to get a 3rd-party-endpoint to authenticate successfully 802.1x. The endpoint is given an individual certificate that is signed on an Internal CA (EAP-TLS Auth.). The endpoint successfully authenticates on initial "connection up" into the switchport (See Image 1). After the 180 seconds Authentication/Session timer hits 0, the device fails to reinitiate 802.1x Authentication (See Image 2). Shortly afterwards, the switch falls back to MAC Address Bypass (MAB) instead (See Image 3).

Looking at the error logs generated on the switch, we see that the device is not responding to the switch's authentication "keep-alive" and causes the session to timeout (see Image 4). The team ran a test and increased the session timer to 1800 seconds or 30 minutes. The devices stayed authenticated on 802.1x for 30 minutes before falling back to MAB (See Image 5).

I've included the ISE Live Logs for both the successful 802.1x authentication and also one for MAB authentication. (See Document 1 and Document 2)

QUESTION:

Any ideas of what we can do to keep the 802.1x session alive after the initial successful connection?

MHM Cisco World · ‎10-07-2024

authentication timer reauthenticate server <<- use this make ISE push timer not make SW use it timer

MHM

EricLu · ‎10-07-2024

Hi MHM,

Thanks for your response. I checked and we already have that command configured on the 802.1x switch interface. (See attached for the interface configuration).

MHM Cisco World · ‎10-07-2024

In ISE authz policy

Only make double check

Session timeout

the log detail dont show if ISE send back session timeout to SW

MHM

Arne Bier · ‎10-07-2024

@EricLu your configs look alright at first glance.

Since you're dealing with a Catalyst switch, I would recommend taking a capture of the Ethernet interface to see what happens when the session timeout expires. I would have expected that the switch would send an EAPOL Identity Request frame to the supplicant - if you see that, and the supplicant does not respond, then this is not an ISE or switch issue.

Also, check whether there is a MAC address on that interface at the time of re-auth - if there is none, then there cannot be any re-auth. Some devices go to sleep and then the MAC address times out. You can keep the MAC address "alive" with the device-tracking feature, and the Inactivity Timer value in your IBNS 2.0 config - when that inactivity timer counts down to 0, the device tracking should fire and send off an ARP and get a response - that keeps the CAM table valid.

Not sure if you have done such a capture before, but here is my cheat sheet - I am using interface twe1/0/25 in this example, and the output file is called TEST.pcap:

conf t
ip scp server enable
end
monitor capture TEST interface twe1/0/25 both match any
monitor capture TEST file location bootflash:TEST.pcap
monitor capture TEST start
monitor capture TEST stop

If you're using Windows and putty as your terminal app, then you can SCP the file from the switch - username 'admin' - it will prompt for the password:

pscp -scp admin@10.2.13.103:TEST.pcap c:/users/abier/TEST.pcap