cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2318
Views
0
Helpful
10
Replies
robert.riggle
Contributor

ACS Failed Authentication - Confusing

I am having some confustion currently while looking into devices that fail authentication through the ACS.  When looking at the reporting tool for the ACS I see a device (Dell laptop) show up on the same switch port with around 900 failed authentication attempts per day.  I follow that up with a check on the MAC address table for that switch.  I see devices connected (through a hub), but not the one that is failing.  On the switch port there is the hub, 2 Dell laptops (but not the one getting logged in the ACS) and a VTC unit.

To add to the confusion, only the VTC unit shows a IP on the ARP table of the firewall.  Not sure where to go from here. 

1 ACCEPTED SOLUTION

Accepted Solutions

Robert,

I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.

So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.

Tarik Admani
*Please rate helpful posts*

View solution in original post

10 REPLIES 10
Tarik Admani
Advocate

Robert,

Can you post the port configuration? If you are running newer code you may be running authentication host mode single. Try running the command "authentication host mode multi-auth"

Here is some reference material when it comes to the different host modes:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1240475

Thanks,

Tarik Admani
*Please rate helpful posts*

Port configuration:

interface GigabitEthernet1/0/12

     switchport access vlan 2

     switchport mode access

     authentication control-direction in

     authentication host-mode multi-auth

     authentication port-control auto

     mab

Will look at the refrence material also, thanks.

Robert,

What is the failure reason? also are you using dynamic vlan assignment?

can you post the "show authentication sessions interface gig 1/0/12"

thanks,

Tarik Admani
*Please rate helpful posts*

Output attached with MAC table for that port (no paste option?).

5 sessions on the interface, only 4 MACs show on the address table.  Does the failed MAB session not get shown on the table?

We do use dynamic vlan assignment.

Robert,

Are you on vlan 2 or vlan 200? Are you using dynamic vlan assignment?

Thanks,

Tarik Admani
*Please rate helpful posts*

The ports are set up in vlan 2, on passing authenticaiton they get moved over to vlan 200.

Robert,

What version of code and model of switch are you running?

Thanks,

Tarik Admani
*Please rate helpful posts*

It's a 2960S switch running 12.2(55)SE5.

Robert,

I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.

So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.

Tarik Admani
*Please rate helpful posts*

View solution in original post

Thats what I needed to know, thanks.  Its disapointing though...

Content for Community-Ad