10-11-2012 04:43 AM - edited 03-10-2019 07:39 PM
ISE release 1.1.0.665…
sample port configuration:
SWLX0203#show running-config interface fastEthernet 0/14
Building configuration...
Current configuration : 628 bytes
!
interface FastEthernet0/14
switchport access vlan 6
switchport mode access
switchport voice vlan 20
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
So, the thing is;
Without a failed vlan configured or failed authorization profile, the mab authentication tries indefinitely to authenticate a non authorized client behind a hub or unmanaged switch...
any ideas?
Steps...
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup Use Case (Service-Type = Call Check (10))
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
24209 Looking up Host in Internal Hosts IDStore - 00:22:3F:B0:25:E4
24217 The host is not found in the internal endpoints identity store
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
Everything seems to be working OK, except it should have a max number of authentication tries...
regards
Nuno
Solved! Go to Solution.
10-11-2012 05:57 AM
Hello Nuno,
You can use "authentication timer restart 0" so if mab fails, the switch will stop trying again.
HTH,
Bastien
10-11-2012 05:57 AM
Hello Nuno,
You can use "authentication timer restart 0" so if mab fails, the switch will stop trying again.
HTH,
Bastien
10-25-2012 03:48 AM
Bastien, many thanks, it's done...
Nevertheless, would be interesting to have a max number of retries...
Regards
Nuno
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide