cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3940
Views
1
Helpful
11
Replies

802.1x timeout log

peter.matuska1
Level 1
Level 1

Hi,

The switch 9200L, 17.06.04 has 802.1x enabled. I noticed in the logs that sometimes the 802.1x doesn't finish correctly and the log on the ISE says: 5440 Endpoint abandoned EAP session and started new, the switch log is: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MAC address) with reason (Timeout) on Interface Gi3/0/35 AuditSessionID 043410AC0000E5C0B633FC57 Username: host/hostname.domain.com

The question is whether this is timeout is caused by the PC or by the switch. The PC has native windows supplicant using EAP-TLS.

thank you

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

is this for only 1 client or all of them having same issue ? and is this worked on any other switch ? all the switches having same issue ?

what is the version of ISE ?  - does the switch has reachability to ISE and what Logs you see on ISE ?

how is your configfuriaton on the switch AAA and port config ?

dot1x timeout tx-period XX ?what timeout config you have here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

ISE 2.6, patch 12. I noticed that the same issue/log is for more than 1 endpoint and more than 1 switch. Yes, I checked the switch and it has connectivity to ISE, there is no log regarding RADIUS server down.

if you connect same device or user other switch that works ?

For testing any device you know having issue, try to increase the time ?  

dot1x timeout tx-period X
dot1x timeout supp-timeout X

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

I think it will be the same. I will try to modify the timeout on the intefaces.

Also you need to collect end device information which was failing - especially NIC cards used.

Some Intel NIC cards having this issue, 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gi3/0/35 <<- the log for this Port is appear when PC connect AND active  or  connect not active 
I think this is normal when PC connect not active
the ISW/ISE will reauth the connect device, if the device not reply then SW/ISE will unauthz the port. 
that it no need to change the default timeout if the case is same of above 

Tariq Mahmoud
Level 1
Level 1

1. The log from ISE Indicates that the endpoint is not responding. If you check the steps in the detailed live log you will notice that ISE sends an Access-Challenge and that it gets no response for this access challenge. 

2. The log from the switch Indicates that the supplicant (PC) is timing out, the switch sends requests to the supplicant but the supplicant never responds during the time window. 

This has two possibilities: 
1. The supplicant is indeed not responding because of an issue with the supplicant or the protocol flow, you are using machine authentication host/hostname.domain.com maybe the PC was put to sleep or something?

2. The timers configured on the switch are misconfigured. 

I believe it would be point#1 because if the timers are the issue then you would face this on a larger scale and more frequently. 

peter.matuska1
Level 1
Level 1

Hi, last time the customer reported the issue was when PC was turned on (not from sleep) and machine and user authentication failed during the boot up and login process. Once the customer unplugged and plug the cable back to the PC, the authentication finished correctly.

and this will happened each time the Sleep->active time is less than auth timeout. 
the solution for me is use inactivity timeout <<- use this timeout only for this user port and monitor the issue. 

That issue is most likely related to the endpoint, not the switch nor ISE. I came across similar issues and managed to fix them by updating the NIC drivers.

hslai
Cisco Employee
Cisco Employee