cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1410
Views
5
Helpful
3
Replies

Dot1x disable retry authentication for guest

Gailardia
Level 1
Level 1

Hi,

I'm just new to dot1x design. Our office using dot1x by using windows account for authentication on wired network. (no certificates)

 

When PC restarts, credentials will be gone. And there'll be logs about failed authentication every 20 minutes.

Is there anyway to disable re-authentication until windows send PEAP itself?

 

interface GigabitEthernet1/0/1
switchport mode access
authentication event fail action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 25

!

we used vlan xxx for pc to contact AD, and dynamically get vlan from radius.

 

Logs

Nov 25 15:36:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D
Nov 25 15:56:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D
Nov 25 16:16:58: %DOT1X-5-FAIL: Authentication failed for client (####.####.####) on Interface Gi1/0/37 AuditSessionID 0A18FE0B0000012D0EEAC16D

3 Replies 3

Arne Bier
VIP
VIP

Perhaps you should consider doing Windows machine authentication instead of user authentication.  Then at boot time the machine account will log you into the network.  At the screen lock the PC will already be on the LAN, and the user will then sign in with their domain account.  Depends what your requirements are.

Nidhi
Cisco Employee
Cisco Employee

try adding the following commands to the switch port to dynamically get the reauth settings via Radius from ISE .

SWITCH(config-if)#authentication periodic

SWITCH(config-if)#authentication timer reauthenticate server

SWITCH(config-if)#authentication timer inactivity server dynamic

 

Thanks,

Nidhi

Nidhi
Cisco Employee
Cisco Employee

try adding the following commands to the switch port to dynamically get the reauth settings via Radius from ISE .

SWITCH(config-if)#authentication periodic

SWITCH(config-if)#authentication timer reauthenticate server

SWITCH(config-if)#authentication timer inactivity server dynamic

 

Thanks,

Nidhi