cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

260
Views
5
Helpful
2
Replies
dal Participant
Participant

Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

Hi.

As the title say, I have enabled 802.1x (and MAB) via 3CPL and policies on a switchport, and it works fine.

Until the computer falls asleep.

Then the switchport starts to generate error logs like this:

Jan 22 14:16:34.492: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (13e2.1e14.a20a) on Interface GigabitEthernet1/0/13 AuditSessionID FA64320A00015AFCCD99EA23. Failure reason: Authc fail. Authc failure reason: Cred Fail.

every 60 seconds.

I have found that this happens when the NIC on the computer has enabled the "Allow the computer to turn off this device to save power" option... which is enable by default on all Windows computers.

And it needs to stay that way to enable WoL.

 

So how can I get rid of the error messages in the switch?

 

Thanks.

2 REPLIES 2
Highlighted
VIP Advocate

Re: Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

A logging discriminator would be what I suggest. In my opinion these logs don't provide any value on the switch. When we troubleshoot we look at ISE, or "show auth sessions" to gather the information anyways.

You can do something such as this to stop logging it to the buffer.

logging discriminator AUTHFILT facility drops DOT1X
logging discriminator AUTHFILT facility drops SESSION_MGR
logging buffered discriminator AUTHFILT
Highlighted
Contributor

Re: Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

Hi

 

Yes, I see the same problem with WoL enabled devices. I increased the authentication restart for 802.1x fail/no response to 65535 seconds to decrease the amount of messages - see below.

 

event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 3 retry-time 30 priority 10
..
event authentication-failure match-first
..
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
..
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 3 retry-time 30 priority 10

 

when I was looking at a powershell script to whitelist pxe imaging clients (through the ISE API) I considered using the same script to whitelist WoL PC's (i.e run the script on pc shutdown to whitelist the PC mac and run the script again on pc boot to remove the PC from the whitelist). Seemed way too complicated so I dropped that idea. Script used for whitelisting is available here:

 

https://github.com/AdamGrossTX/PowershellScripts/tree/master/CiscoISE/External%20RESTful%20Service%20(ERS)%20API

 

hth
Andy