Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
2
Replies

DOT1x and Mac address dynamic dropped

muhammadtalha
Level 1
Level 1

‎01-24-2024 09:44 PM

Hi All, 

I have configured wired dot1x between my switch and cisco ise and on the other hand ise is integrated with the windows AD for domain users and PC authentication. I have noticed an issue with some users. The issue is that they have IP phone and PC, so they have voice vlan and access vlan configured on their endpoint (both are different vlans). The issue is that after couple of hours of inactivity, their network becomes unidentified and they are cut from network. On the switch, I can see that the voice vlan (static) mac address is there but the access vlan for endpoint is dropped and I keep getting the log DOT1X authentication failed for client.

When I do show authentication session interface detail, I get this:

show authentication sessions interface gigabitEthernet 2/0/6

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi2/0/6 xxxx.xxxx.f429 N/A UNKNOWN Unauth -

 

But again this mac address xxxx.xxxx.f429 is dropped in the mac table.

The issue fixes if the interface physically restarts.

This is my DOT1x config:

switchport access vlan x
switchport mode access
switchport voice vlan xx
power inline auto max 15400
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
spanning-tree portfast
end

 

On ISE, I do not see any live logs for this activity which means that no authentication request is reaching ise from the endpoint. I hope my question is clear, thanks.

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎01-25-2024 01:20 AM

These are not  all config

Can I see 

Show authentication sessions

MHM

0 Helpful

Arne Bier
VIP
VIP

‎01-25-2024 01:59 PM

@muhammadtalha - your config needs to handle inactivity - UNAUTH means that the session was authenticated, and then went inactive - but it's still there. What's going to clear it?

In IBNS 2.0 this is handled very nicely. I responded to another post today where I described this in some detail. Have a look and see if you can find equivalent commands in IBNS 1.0 - I can't find a switch old enough to test IBNS 1.0. But perhaps there is an "authentication session" style command to do the same thing.

 

0 Helpful
Customers Also Viewed These Support Documents