03-06-2023 02:10 AM
Hi,
The switch 9200L, 17.06.04 has 802.1x enabled. I noticed in the logs that sometimes the 802.1x doesn't finish correctly and the log on the ISE says: 5440 Endpoint abandoned EAP session and started new, the switch log is: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MAC address) with reason (Timeout) on Interface Gi3/0/35 AuditSessionID 043410AC0000E5C0B633FC57 Username: host/hostname.domain.com
The question is whether this is timeout is caused by the PC or by the switch. The PC has native windows supplicant using EAP-TLS.
thank you
03-06-2023 02:31 AM
is this for only 1 client or all of them having same issue ? and is this worked on any other switch ? all the switches having same issue ?
what is the version of ISE ? - does the switch has reachability to ISE and what Logs you see on ISE ?
how is your configfuriaton on the switch AAA and port config ?
dot1x timeout tx-period XX ?what timeout config you have here ?
03-06-2023 02:42 AM
03-06-2023 03:03 AM
if you connect same device or user other switch that works ?
For testing any device you know having issue, try to increase the time ?
dot1x timeout tx-period X
dot1x timeout supp-timeout X
03-06-2023 03:08 AM
Hi,
I think it will be the same. I will try to modify the timeout on the intefaces.
03-06-2023 10:26 AM
Also you need to collect end device information which was failing - especially NIC cards used.
Some Intel NIC cards having this issue,
03-06-2023 03:32 AM - edited 03-06-2023 03:41 AM
Gi3/0/35 <<- the log for this Port is appear when PC connect AND active or connect not active
I think this is normal when PC connect not active
the ISW/ISE will reauth the connect device, if the device not reply then SW/ISE will unauthz the port.
that it no need to change the default timeout if the case is same of above
03-06-2023 03:34 AM
1. The log from ISE Indicates that the endpoint is not responding. If you check the steps in the detailed live log you will notice that ISE sends an Access-Challenge and that it gets no response for this access challenge.
2. The log from the switch Indicates that the supplicant (PC) is timing out, the switch sends requests to the supplicant but the supplicant never responds during the time window.
This has two possibilities:
1. The supplicant is indeed not responding because of an issue with the supplicant or the protocol flow, you are using machine authentication host/hostname.domain.com maybe the PC was put to sleep or something?
2. The timers configured on the switch are misconfigured.
I believe it would be point#1 because if the timers are the issue then you would face this on a larger scale and more frequently.
03-06-2023 03:53 AM
Hi, last time the customer reported the issue was when PC was turned on (not from sleep) and machine and user authentication failed during the boot up and login process. Once the customer unplugged and plug the cable back to the PC, the authentication finished correctly.
03-06-2023 04:16 AM
and this will happened each time the Sleep->active time is less than auth timeout.
the solution for me is use inactivity timeout <<- use this timeout only for this user port and monitor the issue.
03-06-2023 08:22 AM - edited 03-06-2023 08:23 AM
That issue is most likely related to the endpoint, not the switch nor ISE. I came across similar issues and managed to fix them by updating the NIC drivers.
03-11-2023 08:43 PM
@peter.matuska1 I agree with most of the responses here, especially Aref's. It might worth to troubleshoot further, e.g, by using one of these guides:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide