Solved: Re: Dot1X authenticated user, reauthenticates directly again via MAB

Darkmatter · ‎06-30-2020

I've seen some cases where one of our users gets authenticated correctly via dot1x and the user's identity displays fine, but then 30 seconds later, reauthenticates via MAB and user's identity is replaced by his MAC address. Then, 30 seconds later it does the same thing again.

Finally after a few minutes, it changes back to dot1x.

For now, this is not a problem since we're running in Monitor mode, but i see it becoming an issue once we transition to Low-Impact mode.

At that stage, clients will begin experiencing intermittent connectivity issues.

What could explain this behaviour?

Arne Bier · ‎07-18-2020

Hi @Darkmatter

I have not seen this myself but it sounds like a switch configuration/software since the RADIUS auth events are triggered by the switch, and not the client. E.g. the client is plugged in and user is logged in - the switch would only send an auth event to ISE if there was a change in session status. e.g. if the session was cleared.

Recommend sharing your 802.1X relevant commands here.

And also doing a debug on the switch if you can reproduce this.

Good luck with IOS-XE 802.1X debugging ... it's a whole other discussion.

View solution in original post

Arne Bier · ‎07-18-2020

Hi @Darkmatter

I have not seen this myself but it sounds like a switch configuration/software since the RADIUS auth events are triggered by the switch, and not the client. E.g. the client is plugged in and user is logged in - the switch would only send an auth event to ISE if there was a change in session status. e.g. if the session was cleared.

Recommend sharing your 802.1X relevant commands here.

And also doing a debug on the switch if you can reproduce this.

Good luck with IOS-XE 802.1X debugging ... it's a whole other discussion.

zunaid.cse · ‎07-19-2020

You can try below switch configuration if any improvement found.

Switch Conf:

aaa new-model
!
!
aaa group server radius Radius-ISE
server 172.16.1.234 auth-port 1812 acct-port 1813
server 172.16.2.234 auth-port 1812 acct-port 1813
!
aaa authentication login Radius-ISE group radius local
aaa authentication login LOCAL-DB local
aaa authentication login Radius-ISE group radius local
aaa authentication dot1x default group Radius-ISE
aaa authorization network default group Radius-ISE
aaa authorization auth-proxy default group Radius-ISE
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group Radius-ISE
aaa accounting dot1x default start-stop group Radius-ISE
!
!
aaa server radius dynamic-author
client 172.16.1.234 server-key 0 ***********
client 172.16.2.234 server-key 0 ***********
exit
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 172.16.1.234 auth-port 1812 acct-port 1813 key 0 **********
radius-server host 172.16.2.234 auth-port 1812 acct-port 1813 key 0 ***********
radius-server vsa send accounting
radius-server vsa send authentication

Switch Interface configuration:

interface FastEthernet0/1
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

Or you can directly contact with me. I will try to troubleshoot your issue remotely.

Mobile+Whatsapp+Viber+IMO: +8801962400050

Email: zunaid.cse@gmail.com

Skype: mzunaidbhuiyan