Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
......
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time | Cisco_f9:98:81 | Dell_12:cf:80 |
| | | Nearest |
|0,041 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,045 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,051 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|0,065 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,063 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|18,065 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|18,268 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,303 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,307 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,307 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|37,073 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|67,941 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|98,805 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|129,684 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|144,697 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|160,125 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|175,561 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|190,996 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,002 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,204 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|212,103 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|227,535 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|242,970 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
/regards Piter
