Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14551
Views
16
Helpful
9
Replies

802.1x re authentication problem

ngtransge
Level 1
Level 1

‎09-18-2012 02:29 PM - edited ‎03-10-2019 07:33 PM

Hello,

I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.

The problem is following, when PC  is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful.  If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.

I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.

On Windows 7 host Event viewer I see  following log messages:

                Reason: 0x70004

                Reason Text: The network stopped answering authentication requests

                Error Code: 0x0

The ACS version is 5.3. Authentication method is PEAP.  Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other  than “Multi Session" if works without any issue.

Do you have any Idea how can i fix this ?

Labels:
0 Helpful
9 Replies 9

Mohammad Abualroos
Level 1
Level 1

‎09-18-2012 06:06 PM

If config is the same as 2960 it sounds more like a bug...

you may need to reach TAC for the same..

0 Helpful

Anim Saxena
Level 1
Level 1
In response to Mohammad Abualroos

‎09-18-2012 07:43 PM

Hi ngtransge,

Have you tried patch the hotfix below for these problematic Windows 7 clients ? Kindly have a look at the below mentioned link that might give you more insight about the same.

http://support.microsoft.com/kb/980295/en-us

Regards

Anim Saxena

*Rate helpful posts*

ngtransge
Level 1
Level 1
In response to Anim Saxena

‎09-19-2012 04:02 AM

Hello Anim,

I have tried with this hotfix, but it doesn’t help.

One more detail about case. When host first authenticates, and then supplicant going to authenticate failed state, switch port still stays in authenticate state.

I am attaching sniffed EAP packets.

135268-EAP.pcap.zip
0 Helpful

Anim Saxena
Level 1
Level 1
In response to ngtransge

‎09-19-2012 04:35 AM

Hi ngtransge,

if you use " user or computer" as the authentication mode,  the user wont be authenticated when he logs on as the machine has been authenticated.To meet our business requirements,You may need to reauthenticate each user when they log in the machine ( use "user authentication") ,however you cant make this happen on our windows 7 clients at the moment.  It can only authenticates once unless i manually disconnect the network and reconnect it,  otherwise the switch times out the dot1x due to no responses from the PC.  

You would first like to clarify the authentication mode part, so if we want to  make users to re authenticate by using the credentials of current logged  user, we’d  need to set to use “User re-authentication” . This compact has been  explained in the session “Wired authentication modes” in the link below:

Planning for Recommended Wired Security Configurations

http://technet.microsoft.com/en-us/library/dd378927(WS.10).aspx

And  could you describe the entries you set in wired network policy ? what  is the number you set for “Max Authentication failures” ? and which  authentication  protocol are using now?

Maybe we should recheck the current settings with following our sample guide below and see if any improvement:

Configure Wired Computers Running Windows Vista for 802.1X Authenticated Access

http://technet.microsoft.com/en-us/library/dd348442(WS.10).aspx

For more information please refer to the link below:

802.1X Authenticated Wired Access

http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

Thanks and regards,

Anim Saxena

*Rate helpful post*

ngtransge
Level 1
Level 1
In response to Anim Saxena

‎09-19-2012 06:53 AM

Hi Anim,

I am using very default "wired network policy". Authentication method is PEAP, and authentication mode is "User or computer authentication".\

Where can I seen "Max Authentication failures" ?

0 Helpful

Anim Saxena
Level 1
Level 1
In response to ngtransge

‎09-19-2012 09:58 AM

Hi ngtransge,

Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.

STEP 2:

STEP 3

STEP 4

Select User Authentication in the Scenario might help out.

Thanks and Regards

Anim Saxena

*Rate helpful posts*

ngtransge
Level 1
Level 1
In response to Anim Saxena

‎09-19-2012 11:05 PM

Hello Anim,

As I know only user authentication has problem with Group Updates, because it doesn't authenticate PC when user is not logged in. Also I have tried and it does not helped.

0 Helpful

Anim Saxena
Level 1
Level 1
In response to ngtransge

‎09-20-2012 03:02 AM

Hi Ngtransge,

i am posting a link which might be helpful to you in solving your problem.

https://supportforums.cisco.com/docs/DOC-23117

Thanks and regards

Anim Saxena

*Rate Helpful Posts*

ngtransge
Level 1
Level 1
In response to Anim Saxena

‎09-23-2012 02:08 AM

Hello Anim,

Same problem with NAM.

0 Helpful
Customers Also Viewed These Support Documents