Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
5
Helpful
3
Replies

dot1x critical eapol not working on 3850 with IBNS 2.0 configuration

Leroy Plock
Level 1
Level 1

‎07-25-2018 11:06 AM

Hi. I am testing out an IBNS 2.0 config on a 3850 switch running 03.06.04.E. Overall this is working great, but I am having one small issue with critical auth. 

 

If I simulate an "all radius servers dead" situation, criticial auth basically works as expected. Show access-session int shows the correct Service Templates applied, and the client is allowed, I can ping it.

 

The annoying issue is that the Anyconnect (4.5.02036) NAM module continues to show "Authenticating" for exactly 2 minutes after authorization is complete. (I have no idea what happens at 2 minutes.)

 

I have configured "dot1x critical eapol" which should be taking care of this. The switch should send a "fake" auth success message to tell the client auth was successful.

 

I ran a debug and see this message:

009440: Jul 24 17:02:11.084 GMT: dot1x-ev:[34e6.d717.c550, Gi1/0/47] No CannedSuccess for auth-fail as Bypass is disabled.

 

I assume "CannedSuccess" is the fake auth success message, but I don't know what "bypass is disabled" means, or why Anyconnect goes to "connected" after exactly 2 minutes.

 

Here is the relevant section of my policy:

policy-map type control subscriber MY_NAC_POLICY
  event authentication-failure match-first
   10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
    10 clear-authenticated-data-hosts-on-port
    20 activate service-template MY_CRITICAL_AUTH
    30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
    40 authorize
    50 pause reauthentication

 

The MY_CRITICAL_AUTH template looks like this:

service-template MY_CRITICAL_AUTH
  description <<< Access Policy for Critical Auth (ISE Down) >>>
  access-group TCH_CRITICAL_AUTH

 

Any ideas appreciated, thank you.

0 Helpful
3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

‎07-27-2018 01:05 PM

You can look at Anyconnect logs by creating a report or looking at NAM services logs that are part of Windows logs to see if NAM is just waiting for switch to send back or not.

If you determine if switch sends a canned message to supplicant, make sure you configure supplicant behavior appropriately by using Anyconnect NAM profile editor.

 

-Krishnan

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎07-28-2018 08:46 AM

You might have hit some bug in Cisco IOS platform, such as CSCus40723 and CSCvc86691.

I would suggest you to try a Cisco IOS release with the fixes or engage Cisco TAC support to troubleshoot further.

Leroy Plock
Level 1
Level 1

‎07-30-2018 08:26 AM

Just a quick update, I determined why NAM goes to authenticated after 2 minutes. Since it is not receiving a success message, it retries per its configured timers. After those expire, it assumes there is no authenticator present and goes to "Connected." The default timers are

  authPeriod: 30

  startPeriod: 30

  maxStart: 3

 

3 x 30 + 30 = 120 seconds or 2 minutes. I can predictably affect the time until "connected" by changing these timers.

 

So the root problem is still that the switch is not sending the "fake" Auth Success message. I'm off to TAC for help.

0 Helpful
Customers Also Viewed These Support Documents