Dot1x disable retry authentication for guest

Gailardia · ‎11-25-2018

Hi,

I'm just new to dot1x design. Our office using dot1x by using windows account for authentication on wired network. (no certificates)

When PC restarts, credentials will be gone. And there'll be logs about failed authentication every 20 minutes.

Is there anyway to disable re-authentication until windows send PEAP itself?

interface GigabitEthernet1/0/1
switchport mode access
authentication event fail action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 25

!

we used vlan xxx for pc to contact AD, and dynamically get vlan from radius.

Logs

Nov 25 15:36:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D
Nov 25 15:56:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D
Nov 25 16:16:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D

Arne Bier · ‎11-25-2018

Perhaps you should consider doing Windows machine authentication instead of user authentication. Then at boot time the machine account will log you into the network. At the screen lock the PC will already be on the LAN, and the user will then sign in with their domain account. Depends what your requirements are.

Nidhi · ‎11-25-2018

try adding the following commands to the switch port to dynamically get the reauth settings via Radius from ISE .

SWITCH(config-if)#authentication periodic

SWITCH(config-if)#authentication timer reauthenticate server

SWITCH(config-if)#authentication timer inactivity server dynamic

Thanks,

Nidhi

Nidhi · ‎11-25-2018