Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3940
Views
1
Helpful
11
Replies

802.1x timeout log

peter.matuska1
Level 1
Level 1

‎03-06-2023 02:10 AM

Hi,

The switch 9200L, 17.06.04 has 802.1x enabled. I noticed in the logs that sometimes the 802.1x doesn't finish correctly and the log on the ISE says: 5440 Endpoint abandoned EAP session and started new, the switch log is: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MAC address) with reason (Timeout) on Interface Gi3/0/35 AuditSessionID 043410AC0000E5C0B633FC57 Username: host/hostname.domain.com

The question is whether this is timeout is caused by the PC or by the switch. The PC has native windows supplicant using EAP-TLS.

thank you

0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎03-06-2023 02:31 AM

is this for only 1 client or all of them having same issue ? and is this worked on any other switch ? all the switches having same issue ?

what is the version of ISE ?  - does the switch has reachability to ISE and what Logs you see on ISE ?

how is your configfuriaton on the switch AAA and port config ?

dot1x timeout tx-period XX ?what timeout config you have here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

peter.matuska1
Level 1
Level 1
In response to balaji.bandi

‎03-06-2023 02:42 AM

Hi,

ISE 2.6, patch 12. I noticed that the same issue/log is for more than 1 endpoint and more than 1 switch. Yes, I checked the switch and it has connectivity to ISE, there is no log regarding RADIUS server down.

Preview file
2 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to peter.matuska1

‎03-06-2023 03:03 AM

if you connect same device or user other switch that works ?

For testing any device you know having issue, try to increase the time ?  

dot1x timeout tx-period X
dot1x timeout supp-timeout X

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

peter.matuska1
Level 1
Level 1
In response to balaji.bandi

‎03-06-2023 03:08 AM

Hi,

I think it will be the same. I will try to modify the timeout on the intefaces.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to peter.matuska1

‎03-06-2023 10:26 AM

Also you need to collect end device information which was failing - especially NIC cards used.

Some Intel NIC cards having this issue, 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎03-06-2023 03:32 AM - edited ‎03-06-2023 03:41 AM

Gi3/0/35 <<- the log for this Port is appear when PC connect AND active  or  connect not active 
I think this is normal when PC connect not active
the ISW/ISE will reauth the connect device, if the device not reply then SW/ISE will unauthz the port. 
that it no need to change the default timeout if the case is same of above 

0 Helpful

Tariq Mahmoud
Level 1
Level 1

‎03-06-2023 03:34 AM

1. The log from ISE Indicates that the endpoint is not responding. If you check the steps in the detailed live log you will notice that ISE sends an Access-Challenge and that it gets no response for this access challenge. 

2. The log from the switch Indicates that the supplicant (PC) is timing out, the switch sends requests to the supplicant but the supplicant never responds during the time window. 

This has two possibilities: 
1. The supplicant is indeed not responding because of an issue with the supplicant or the protocol flow, you are using machine authentication host/hostname.domain.com maybe the PC was put to sleep or something?

2. The timers configured on the switch are misconfigured. 

I believe it would be point#1 because if the timers are the issue then you would face this on a larger scale and more frequently. 

0 Helpful

peter.matuska1
Level 1
Level 1

‎03-06-2023 03:53 AM

Hi, last time the customer reported the issue was when PC was turned on (not from sleep) and machine and user authentication failed during the boot up and login process. Once the customer unplugged and plug the cable back to the PC, the authentication finished correctly.

MHM Cisco World
VIP
VIP
In response to peter.matuska1

‎03-06-2023 04:16 AM

and this will happened each time the Sleep->active time is less than auth timeout. 
the solution for me is use inactivity timeout <<- use this timeout only for this user port and monitor the issue. 

0 Helpful

Aref Alsouqi
VIP
VIP

‎03-06-2023 08:22 AM - edited ‎03-06-2023 08:23 AM

That issue is most likely related to the endpoint, not the switch nor ISE. I came across similar issues and managed to fix them by updating the NIC drivers.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-11-2023 08:43 PM

@peter.matuska1 I agree with most of the responses here, especially Aref's. It might worth to troubleshoot further, e.g, by using one of these guides:

0 Helpful
Customers Also Viewed These Support Documents