Solved: Re: Cisco 2960X switch and slow dot1x authorization

igor.hamzic81 · ‎04-01-2022

Hi all,

I have a strange problem on one set of my 2960X switches. When users connect to the switch it seems that the authentication takes a long time. It seems to be a problem with both Windows machines using Anyconnect and Mac machines using their own dot1xclients. In both cases The problem seems to be most visible on Mac machines as there are several pop ups for user to select a certificate until successful.

I have device tracking enabled:

sh ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0

And the following configuration on the ports:

switchport access vlan 16
switchport mode access
switchport nonegotiate
switchport voice vlan 18
ip access-group preAuth in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 16
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

Software version on the switch is 15.2(7)E2

I'm also attaching the output of debug dot1x all command in the attachments.

I really can't put my finger on what is happening here as it seems I have configured everything needed but it the problem persists.

Thanks for any info.

igor.hamzic81 · ‎05-05-2022

Hi all,

sorry for the lack of reply but other projects took my time.

We have finally resolved the problem by upgrading the IOS on the switch to the version 15.2(7)E5.

After the upgrade there were no more problems for Mac users.

Thank you all for all the suggestions.

View solution in original post

thomas · ‎04-01-2022

That is all just L2 802.1X traffic, not RADIUS.

I suggest looking at your ISE LiveLog Details to see what is happening on that side to see when the request is received and if there is any latency due your identity store or other things.

igor.hamzic81 · ‎04-01-2022

Hi,

the logs on ISE are all green and authentication passes every time it's just that it takes a while. Here are the Radius logs from ISE for the Mac machine in question.

I also have debug logs from ISE but the file is a bit large and quite difficult to remove all the sensitive data from it but if necessary I can share that also.

thomas · ‎04-03-2022

The authentication is happening normally in ISE - I don't see any latency issues called out there so that is good.

Based on your initial 802.1X debug output it looks like your endpoint is not responding to the first couple of challanges then finally on the third one it responds to the switch which generates a RADIUS request to ISE which appears to work normally against Active Directory.

You could try doing debugs with `debug radius authentication` on your switch to understand the timing of dot1x vs RADIUS on the switch and see where the latency is occuring.

Normally an authentication should take less than 1 second.

igor.hamzic81 · ‎04-04-2022

Hi Thomas,

here is a RADIUS debug from the switch side attached. From what I can see in the debug it all looks the same but it's just repeated several times until successfully authorized.

I'm really at a loss at why this would be happening.

MHM Cisco World · ‎04-01-2022

this is slow client so can you increase

dot1x timeout supp-timeout

igor.hamzic81 · ‎04-04-2022

The default value for this is 30 seconds according to Cisco documentation and the whole process is done in less than that even with repeated user interaction as can be seen from the switch side debug.

I don't think this is the problem.

MHM Cisco World · ‎04-04-2022

debug dot11 aaa authenticator process
debug dot11 aaa authenticator state-machine

can you share output for this ?

igor.hamzic81 · ‎04-04-2022

Hi,

I don't have those debug commands on the switch. The closest one I have is debug dot1x state-machine which I'm sharing.

MHM Cisco World · ‎04-05-2022

this debug for PC or IP phone, I assume it PC?

igor.hamzic81 · ‎04-06-2022

That is debug for a Mac PC.

thomas · ‎04-15-2022

I assume when you test with a non-macOS device it works?

Have you checked the macOS supplicant configuration on the endpoint?

Have you provisioned an authentication profile to the endpoint with Apple Configurator or an MDM?

Basic PEAP authentication will work by default but other protocols must be provisioned.

igor.hamzic81 · ‎04-19-2022

We usually configure the options needed for authentication directly on the Mac PC as we do not have an MDM solution.

And yes when we test with a non-macOS it works fine without any user interaction.

Also of note is that when for test I connected the problematic Mac PC on an older 3560 switch with 802.1x authentication everything works fine without any user interaction needed. From that it seems that the problem is connected to the 2960x switch.

The main issue in this whole problem is not that the authorization fails as in the end everything succeeds but that user needs to select the certificate several times before it goes through.

MHM Cisco World · ‎04-16-2022

Authentication Report in ISE for this MAC "I look for step"
can I see it?

igor.hamzic81 · ‎04-19-2022

I don't understand what you want to see. Do you want me to send you the Steps when I check authentication?