Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
0
Helpful
2
Replies

ACS 5.1 mab reauthentication in every 1 mintues

Go to solution
horvaia
Level 1
Level 1

‎04-18-2011 05:31 AM - edited ‎03-10-2019 06:00 PM

Hello,

I am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.

Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again

and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills

up my logs and makes them unusefull.

switch version: cat4500-ipbasek9-mz.122-53.SG3.bin

port config:


interface FastEthernet2/25
switchport access vlan 107
switchport mode access
switchport voice vlan 502
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no logging event link-status
load-interval 60
speed 100
duplex full
qos vlan-based
authentication event fail action authorize vlan 109
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout server-timeout 25
dot1x timeout tx-period 15
dot1x timeout supp-timeout 25
dot1x max-req 3
tx-queue 3
   priority high
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 10
end

Thanks,

Andras

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎04-18-2011 07:39 AM

Hi,

If you remove the commands:

switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity

Does the phones stop authenticating every minute?

Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎04-18-2011 07:39 AM

Hi,

If you remove the commands:

switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity

Does the phones stop authenticating every minute?

Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
horvaia
Level 1
Level 1
In response to Tiago Antunes

‎04-19-2011 01:11 AM

Hi,

This was the solution. Removing "switchport port-security aging time 1" from the port-config.

Thanks,

Andras

0 Helpful
Customers Also Viewed These Support Documents