cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

479
Views
5
Helpful
10
Replies
Beginner

802.1x Cisco ISE & Cathalyst

Hi

I’ve got a curious problem with the authentication of not correct authenticated 802.1x-clients. In the ISE I have select that every failed authentication should be rejected. But the authentication process starts again and again and does not stop. Here the log from the switch:

May 30 14:10:27.608 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:27.893 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:27.893 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface 0/1

May 30 14:10:28.270 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:28.404 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:28.404 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface

May 30 14:10:29.118 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.361 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.361 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.420 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.839 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.839 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.745 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.846 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.846 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.794 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.928 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.928 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

I configured that only one authentication is allowed. If the authentication failed, the port should be blocked. But that does not happen.

A successful authenticated client always triggers two authentications. That is also curious.

Has anybody an idea to solve this behavior?

Many thanks Marco

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: 802.1x Cisco ISE & Cathalyst

You need to configure auth-fail vlan.

authentication event  fail  action authorize vlan  vlan-id

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-auth-fail-vlan.html

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal

View solution in original post

Highlighted
Enthusiast

Re: 802.1x Cisco ISE & Cathalyst

10 REPLIES 10
Highlighted
Cisco Employee

802.1x Cisco ISE & Cathalyst

Could you please paste the switch port configuration where the client is connected?

What is the status of CoA on ISE?

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal
Highlighted
Enthusiast

802.1x Cisco ISE & Cathalyst

What you want is to adjust the Dot1x quiet-period, this determins how long the Client must wait before it can try to authenticate again after a failure.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1036194

Highlighted
Beginner

Re: 802.1x Cisco ISE & Cathalyst

Here the port config:

interface FastEthernet0/1
switchport mode access
switchport voice vlan 3
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

@ RikJonAtk: dot1x timeout quit-period is 60 sec standard. I do not want that the client can authenticate again.

@ Jatin Katyal: Where can I find the status of CoA?

Highlighted
Enthusiast

Re: 802.1x Cisco ISE & Cathalyst

I'm not sure you can actually do that Marco?  Closest I can think of is to drop them in to a Dot1x Failed VLAN which you setup as a blackhole...

Highlighted
Cisco Employee

Re: 802.1x Cisco ISE & Cathalyst

You need to configure auth-fail vlan.

authentication event  fail  action authorize vlan  vlan-id

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-auth-fail-vlan.html

Jatin Katyal
- Do rate helpful posts -

~Jatin Katyal

View solution in original post

Highlighted
Beginner

Re: 802.1x Cisco ISE & Cathalyst

Yes that ist he answer. Thanks you both!

I just tested a vulnerability. A simple switch was switched before an access port. The port has been authenticated by Client1. Client2 was also connected to the network but has no credentials. The clients having the same MAC address.
Is there a solution for this?

Highlighted
Enthusiast

Re: 802.1x Cisco ISE & Cathalyst

Highlighted
Beginner

Re: 802.1x Cisco ISE & Cathalyst

Thanks RikJonAtk!

Marco

Highlighted
Enthusiast

Re: 802.1x Cisco ISE & Cathalyst

Glad to help!

Highlighted
Participant

802.1x Cisco ISE & Cathalyst

Usually, if the client has no dot1x support, it uses mab to get access to network by the means of profiling or CWA.

If you configure the default authorization rule to be CWA & Profiling you won't see any restarted authentications.

You will see this happen again only if client has dot1x support and dot1x has priority over mab.