dot1x - issue - fail retry count

Heinz Kern · ‎04-08-2021

hello,

we do have an issue when setting up machines with NAC enabled. the issue is that MAB is not used, or sometimes to late. we figured out a main issue here and i´m wondering if it could be solved or at least the situation improved.

the normal siutation would be: the port gets up, the switch sends out an EAP request identity. if the client does not support 802.1x it does not answer...and after some retries (depending on the config) MAB is used. and then everything fine

unfortunately in our scenario the setup procedure of the client includes to enable 802.1x although no certificate is present on the PC.so this happens:Switch sends Request identity - the client answers with EAPOL Start. the switch sends another Request identity...but the client now is not answering anymore. i assume because the PC does not have a certificate installed. this leads to en EAP failure and MAB is NOT used. obviously after 10 minute the client starts again the communicaiton with an EAPOLStart. it fails again in the same way but now MAB is used and therefore DHCP works afterwards.

this is the config

authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 36000
authentication timer restart 3600
authentication violation restrict

the point is now if the situation could be improved. below you can find a trace. after 13:58 it immediately works.

i came across this command:

authentication event fail retry 1 action next-method (default value is 2)

could this command help? can anybody exactly explain what it is doing in this setup becaue i coudl just find a reference to the auth-fail vlan...but we don´t use the auth-fail vlan.

it does not fit 100% because default value is 2 and in the trace we just see one retry. therefore i am wondering if anybody has a view on that.

br + thx



17           13:48:36 05.03.2021        12.4450362                          [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

20           13:48:36 05.03.2021        12.4763534                          [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

21           13:48:36 05.03.2021        12.4763597                          [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

22           13:48:36 05.03.2021        12.4793444                          [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

31           13:48:37 05.03.2021        13.4982831                          [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

43           13:48:38 05.03.2021        14.5236074                          [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Failure         {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

1292       13:58:36 05.03.2021        612.5270118                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

1293       13:58:36 05.03.2021        612.5270187                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

1294       13:58:36 05.03.2021        612.5283563                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

1307       13:58:37 05.03.2021        613.5504326                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

1313       13:58:38 05.03.2021        614.5751854                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Failure         {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2006       14:00:10 05.03.2021        706.5602343                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2007       14:00:10 05.03.2021        706.5602436                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2009       14:00:19 05.03.2021        715.8079018                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2010       14:00:19 05.03.2021        715.8079081                       [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]    [0180C2 000003 [01-80-C2-00-00-03]]              EAPOL   EAPOL:EAPOL-Start , Length = 0                {NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2024       14:00:20 05.03.2021        716.6948776                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2040       14:00:21 05.03.2021        717.7183757                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Request, Type = Identity      {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

2063       14:00:22 05.03.2021        718.7421940                       [380E4D 1A8E06 [38-0E-4D-1A-8E-06]]   [E86A64 8FEAF3 [E8-6A-64-8F-EA-F3]]             EAP        EAP:Failure         {EAP:7, NDISPacCap_MicrosoftWindowsNDISPacketCapture:3, NetEvent:1}

Francesco Molino · ‎04-08-2021

Hi

For my information, what switches are you using?

I’m asking because the 802.1x and MAB fallback situation is well improved on IBNS2.0 configuration.

Here a link of all switches compatible: https://www.cisco.com/c/en/us/products/ios-nx-os-software/identity-based-networking-services/index.html

the goal is that concurrent authentication method are sent at the same time for the same session and based on the priority you will configure, it will take the one you put the highest priority onto.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question