Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7673
Views
11
Helpful
18
Replies

Cisco 2960X switch and slow dot1x authorization

Go to solution
igor.hamzic81
Level 1
Level 1

‎04-01-2022 06:59 AM - edited ‎04-01-2022 02:44 PM

Hi all,

 

I have a strange problem on one set of my 2960X switches. When users connect to the switch it seems that the authentication takes a long time. It seems to be a problem with both Windows machines using Anyconnect and Mac machines using their own dot1xclients. In both cases The problem seems to be most visible on Mac machines as there are several pop ups for user to select a certificate until successful.

 

I have device tracking enabled:

sh ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0

 

And the following configuration on the ports:

 

switchport access vlan 16
switchport mode access
switchport nonegotiate
switchport voice vlan 18
ip access-group preAuth in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 16
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

 

Software version on the switch is 15.2(7)E2

 

I'm also attaching the output of debug dot1x all command in the attachments.

 

I really can't put my finger on what is happening here as it seems I have configured everything needed but it the problem persists.

Thanks for any info.

Preview file
32 KB
18 Replies 18

Go to solution
igor.hamzic81
Level 1
Level 1

‎04-20-2022 03:52 AM

I have also tested connection with a Mac OS and with Windows PC and I'm attaching the picture of authentications seen on ISE.

 

The MAC address starting with A8 is a Mac OS PC with a native client and the MAC address starting with 48 is a Windows PC with a Anyconnect client with NAM module.

Preview file
193 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to igor.hamzic81

‎04-21-2022 07:54 AM

hhh.png

Steps is what I looking for, 
you can do by yourself
check steps from one without Issue and one with Issue see what steps is repeat this will help us to identify the issue.

0 Helpful

Go to solution
igor.hamzic81
Level 1
Level 1
In response to MHM Cisco World

‎05-05-2022 06:59 AM - edited ‎05-05-2022 07:00 AM

Hi all,

 

sorry for the lack of reply but other projects took my time.

 

We have finally resolved the problem by upgrading the IOS on the switch to the version 15.2(7)E5.

 

After the upgrade there were no more problems for Mac users.

 

Thank you all for all the suggestions.

Go to solution
tanner.zaitt
Level 3
Level 3

‎06-20-2022 09:04 AM - edited ‎06-20-2022 10:29 AM

Hi, we had the same issue in our infrastructure and my colleague resolved the slow authentication on dot1x with old Cisco 2960 series switches with old firmwares IOS 12 and IOS 15 in nowadays with Windows 10 OS. Before solving the issue the authentication was too slow! Between 37 seconds to 1 minute per every one port based authentication.
Please keep in mind that our example is for 802x1 dot1x EAP-TLS Computer based authentication with certificates. We use Microsoft DC, Microsoft AD, Microsoft CA, Microsoft NPS, Cisco switches, Juniper switches and Windows 10 OS based notebooks and workstations.

As you can see in the past this issue has ben solved in Windows XP with registry editing.
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\SupplicantMode
For example the value 3  will solve the problem and the authentication process will take only 3-4 seconds.
Unfortunately on Windows 10, this registry doesn't exist.
Here you could see the old topic for Windows XP:
delay for wired 802.1X authentication - Cisco Community

But in the end with Group Policy the issue is resolved and for Windows 10 OS.
Computer Configuration -> Policies ->Windows Settings -> Security Settings ->Wired Network (IEEE 802.3) Policies.
Here we create new policy Radius Ethernet with description Allow 802.1x authentication. The box for Use Windows Wired Auto Config service for clients is checked. In the Security the box for Enable use of IEEE 802.1X authentication for network access is checked also.
For Select a network authentication method has been chosen Microsoft: Smart Card or other Certificate. In the Properties near to Select authentication method in the condition "When connecting" has been chosen Use a certificate on this computer. The box for Use simple certificate selection has been checked. In advanced the box for Certificate Issuer has been checked. In Root Certification Authorities the box for root certificate has been checked.
In Intermediate Certification Authorities the box for root certifcate has been checked. The box for Verify the server’s identity by validating the certificate has been checked. In Trusted Root Certification Authorities the box for root certificate has been checked.
Authentication Mode has been set to Computer only. The box for Cache user information for subsequent connections to this network has been checked. For Max Authentication Failures the value is 1.
And the most important point!
In advanced we should configure IEEE 802.1X only!
The box for Enforce advanced 802.1X settings has been checked.
The parameters here are:
Max Eapol-Start Msgs 3
Held Period (seconds) 1
Start Period (seconds) 5
Auth Period (seconds) 18


And voala!

Bonus:
Please don't forget to check the service Wired Auto Config on your Notebooks and workstations. By default on the latest Windows 10 OS 21H2 this service is in  Manually mode and it's not starts automatically. We resolved this issue with Group policy with changing the mode from Manually to Automatic startup!
On Windows 11 this issue with the service doesn't exist. For Wireless this issue also not exist  on Windows 11, even on Windows 10.

These modifications resolve slow EAP-TLS authentication on Cisco switches on LAN ports.
Please keep in mind that for Juniper network switches these changes not affect negatively or positively. On the Juniper equipment the EAP-TLS authentication is fast by default before these changes and after the speed is the same. These changes solve only slow authentication on Cisco switches.

Please also keep in mind that in many infrastructures the internal switching is based on old Cisco switches in EOL and there not exist options for upgrade IOS to the latest version.
I also checked IOS Cisco bugs but I didn't find anything.
It's seems like as usually something on Microsoft.........specific settings...for our case with slow dot1q EAP-TLS authentication.

Best Regard!

0 Helpful
Customers Also Viewed These Support Documents