802.1x multiple sessions with same LOGIN+MAC on single-host port

v_paranoid · ‎03-19-2012

We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.

From time to time user seems to get multiple authentications on single port with single mac-address.

So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.

Happens with different users.

Anybody seen this issue?

IOS 12.2(46)SE

Eduardo Aliaga · ‎03-19-2012

Could you please post your config and also "show authentication session " and "show dot1x detail" ?

v_paranoid · ‎03-20-2012

Sure. Tried to make it short.

Config for 802.1x-aaa:

!

aaa new-model

!

aaa group server radius default

server X.X.X.X auth-port 12345 acct-port 12346

!

aaa authentication login default group radius enable

aaa authentication dot1x default group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network default local group radius

aaa authorization reverse-access default group radius

aaa accounting suppress null-username

aaa accounting update periodic 1

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

!

dot1x system-auth-control

!

interface FastEthernet0/48

switchport access vlan 1398

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode shutdown

spanning-tree portfast

spanning-tree link-type point-to-point

!

radius-server attribute 44 include-in-access-req

radius-server attribute 44 extend-with-addr

radius-server attribute 188 format non-standard

radius-server attribute 218 mandatory

radius-server attribute 32 include-in-accounting-req format %i %h %d

radius-server attribute 55 include-in-acct-req

radius-server attribute list att

attribute 30-31,44

!

radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey

radius-server vsa send accounting

!

sh dot1x int fa 0/48 det

Dot1x Info for FastEthernet0/48
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = SHUTDOWN
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED

And right now, while port is UNAUTHORIZED we have 2 sessions as follows:

sh aaa user all

--------------------------------------------------
Unique id 34974 is currently in use.
Accounting:
log=0x208241
Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
update method(s) :
    PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
    0244DC34 0 00000001 connect-progress(44) 4 Auth Open
    0244DC48 0 00000001 pre-session-time(272) 4 0(0)
    0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
    0244DC70 0 00000001 input-giga-words(111) 4 2(2)
    0244DC84 0 00000001 output-giga-words(250) 4 8(8)
    024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
    024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
    024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
    024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
    024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
    024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
    024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
    024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
    Session Id=000088AD Unique Id=0000889E
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34989(88AD)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
    Session Id=000088AD Unique Id=0000889E
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      0244DB94 0 00000001 session-id(336) 4 34989(88AD)
      0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
      0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
--------
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
    Start Bytes In = 993512241     Start Bytes Out = 3867828098
    Start Paks In = 23586320      Start Paks Out = 28511581
Byte/Packet Counts till Service Up:
    Pre Bytes In = 993519614     Pre Bytes Out = 3867836302
    Pre Paks In = 23586388      Pre Paks Out = 28511642
Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks In = 69526526      Paks Out = 75491430
StartTime = 16:22:08 GMT+5 Jan 23 2012
AuthenTime = 16:22:08 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 0000889E
Session Id = 000088AD
Attribute List:
    024A8C10 0 00000001 port-type(174) 4 Ethernet
    024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
    024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available

--------------------------------------------------
Unique id 34976 is currently in use.
Accounting:
log=0x10000208241
Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
    SESSION INFO
update method(s) :
    PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
    024CAA00 0 00000001 connect-progress(44) 4 Auth Open
    024CAA14 0 00000001 pre-session-time(272) 4 2(2)
    024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
    024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
    024CAA50 0 00000001 output-giga-words(250) 4 8(8)
    024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
    024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
    024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
    024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
    024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
    0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
    0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
    0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
    Session Id=000088AF Unique Id=000088A0
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024A8C10 0 00000001 session-id(336) 4 34991(88AF)
      024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
    Session Id=000088AF Unique Id=000088A0
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34991(88AF)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
      024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
--------
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
    Start Bytes In = 993533200     Start Bytes Out = 3867849339
    Start Paks In = 23586534      Start Paks Out = 28511761
Byte/Packet Counts till Service Up:
    Pre Bytes In = 993539419     Pre Bytes Out = 3867856344
    Pre Paks In = 23586593      Pre Paks Out = 28511812
Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks In = 69526526      Paks Out = 75491430
StartTime = 16:22:18 GMT+5 Jan 23 2012
AuthenTime = 16:22:19 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 000088A0
Session Id = 000088AF
Attribute List:
    0244DB94 0 00000001 port-type(174) 4 Ethernet
    0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
    0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available

--------------------------------------------------

PS. Have no command "show authentication"

802.1x multiple sessions with same LOGIN+MAC on single-host port

ISE Webinars

CiscoISE on YouTube