This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
From time to time user seems to get multiple authentications on single port with single mac-address.
So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
Happens with different users.
Anybody seen this issue?
IOS 12.2(46)SE
Could you please post your config and also "show authentication session
Sure. Tried to make it short.
Config for 802.1x-aaa:
!
aaa new-model
!
!
aaa group server radius default
server X.X.X.X auth-port 12345 acct-port 12346
!
aaa authentication login default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default local group radius
aaa authorization reverse-access default group radius
aaa accounting suppress null-username
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa session-id common
!
dot1x system-auth-control
!
!
!
interface FastEthernet0/48
switchport access vlan 1398
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode shutdown
spanning-tree portfast
spanning-tree link-type point-to-point
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 188 format non-standard
radius-server attribute 218 mandatory
radius-server attribute 32 include-in-accounting-req format %i %h %d
radius-server attribute 55 include-in-acct-req
radius-server attribute list att
attribute 30-31,44
!
radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
radius-server vsa send accounting
!
sh dot1x int fa 0/48 det
Dot1x Info for FastEthernet0/48
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = SHUTDOWN
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
sh aaa user all
--------------------------------------------------
Unique id 34974 is currently in use.
Accounting:
log=0x208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
0244DC34 0 00000001 connect-progress(44) 4 Auth Open
0244DC48 0 00000001 pre-session-time(272) 4 0(0)
0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
0244DC70 0 00000001 input-giga-words(111) 4 2(2)
0244DC84 0 00000001 output-giga-words(250) 4 8(8)
024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AD Unique Id=0000889E
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34989(88AD)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AD Unique Id=0000889E
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
0244DB94 0 00000001 session-id(336) 4 34989(88AD)
0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
--------
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993512241 Start Bytes Out = 3867828098
Start Paks In = 23586320 Start Paks Out = 28511581
Byte/Packet Counts till Service Up:
Pre Bytes In = 993519614 Pre Bytes Out = 3867836302
Pre Paks In = 23586388 Pre Paks Out = 28511642
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:08 GMT+5 Jan 23 2012
AuthenTime = 16:22:08 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 0000889E
Session Id = 000088AD
Attribute List:
024A8C10 0 00000001 port-type(174) 4 Ethernet
024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
--------------------------------------------------
Unique id 34976 is currently in use.
Accounting:
log=0x10000208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
SESSION INFO
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
024CAA00 0 00000001 connect-progress(44) 4 Auth Open
024CAA14 0 00000001 pre-session-time(272) 4 2(2)
024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
024CAA50 0 00000001 output-giga-words(250) 4 8(8)
024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AF Unique Id=000088A0
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024A8C10 0 00000001 session-id(336) 4 34991(88AF)
024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AF Unique Id=000088A0
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34991(88AF)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
--------
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993533200 Start Bytes Out = 3867849339
Start Paks In = 23586534 Start Paks Out = 28511761
Byte/Packet Counts till Service Up:
Pre Bytes In = 993539419 Pre Bytes Out = 3867856344
Pre Paks In = 23586593 Pre Paks Out = 28511812
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:18 GMT+5 Jan 23 2012
AuthenTime = 16:22:19 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 000088A0
Session Id = 000088AF
Attribute List:
0244DB94 0 00000001 port-type(174) 4 Ethernet
0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
--------------------------------------------------
PS. Have no command "show authentication"