05-30-2013 05:52 AM - edited 03-10-2019 08:29 PM
Hi
I’ve got a curious problem with the authentication of not correct authenticated 802.1x-clients. In the ISE I have select that every failed authentication should be rejected. But the authentication process starts again and again and does not stop. Here the log from the switch:
…
May 30 14:10:27.608 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:27.893 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:27.893 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface 0/1
May 30 14:10:28.270 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:28.404 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:28.404 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface
May 30 14:10:29.118 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:29.361 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:29.361 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:29.420 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:29.839 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:29.839 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:30.745 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:30.846 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:30.846 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:31.794 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:31.928 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1
May 30 14:10:31.928 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1
…
I configured that only one authentication is allowed. If the authentication failed, the port should be blocked. But that does not happen.
A successful authenticated client always triggers two authentications. That is also curious.
Has anybody an idea to solve this behavior?
Many thanks Marco
Solved! Go to Solution.
05-30-2013 06:45 AM
You need to configure auth-fail vlan.
authentication event fail action authorize vlan vlan-id
Jatin Katyal
- Do rate helpful posts -
05-30-2013 07:28 AM
05-30-2013 05:58 AM
Could you please paste the switch port configuration where the client is connected?
What is the status of CoA on ISE?
Jatin Katyal
- Do rate helpful posts -
05-30-2013 06:01 AM
What you want is to adjust the Dot1x quiet-period, this determins how long the Client must wait before it can try to authenticate again after a failure.
05-30-2013 06:30 AM
Here the port config:
interface FastEthernet0/1
switchport mode access
switchport voice vlan 3
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
@ RikJonAtk: dot1x timeout quit-period is 60 sec standard. I do not want that the client can authenticate again.
@ Jatin Katyal: Where can I find the status of CoA?
05-30-2013 06:44 AM
I'm not sure you can actually do that Marco? Closest I can think of is to drop them in to a Dot1x Failed VLAN which you setup as a blackhole...
05-30-2013 06:45 AM
You need to configure auth-fail vlan.
authentication event fail action authorize vlan vlan-id
Jatin Katyal
- Do rate helpful posts -
05-30-2013 07:23 AM
Yes that ist he answer. Thanks you both!
I just tested a vulnerability. A simple switch was switched before an access port. The port has been authenticated by Client1. Client2 was also connected to the network but has no credentials. The clients having the same MAC address.
Is there a solution for this?
05-30-2013 07:28 AM
Yep, MacSec is the answer...
05-30-2013 07:45 AM
Thanks RikJonAtk!
Marco
05-30-2013 10:20 AM
Glad to help!
06-21-2013 12:35 AM
Usually, if the client has no dot1x support, it uses mab to get access to network by the means of profiling or CWA.
If you configure the default authorization rule to be CWA & Profiling you won't see any restarted authentications.
You will see this happen again only if client has dot1x support and dot1x has priority over mab.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide