Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6250
Views
11
Helpful
3
Replies

Dot1x laptop in sh auth br intermittent showing authorized and unauthorized

Go to solution
getaway51
Level 2
Level 2

‎06-01-2020 06:21 AM

Hi,

Can i debug dot1x in switch to see whts happening or using wireshark on laptop?

it seems sh auth br in switching showing AZ(authorized) then followed by 5-15 sec UZ (unauthorized)

 

24211Found Endpoint in Internal Endpoints IDStore
 22037Authentication Passed
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy

 

Event5400 Authentication failed
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

 

Any idea guys? I am totally blank..

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎06-01-2020 10:48 PM

The retry timer for 802.1x (EAP) after the session is terminated due to an ACCESS-REJECT response from the RADIUS server is dependent on the supplicant. I have never found any good documentation on timers used in Windows, but I have seen some aggressive retries (between every 30sec to 2min) in the past on some customer deployments.

As I mentioned before, there could be multiple variables for this type of behaviour.

If this is related your other community post here, I would recommend following the suggestions provided by @hslai.

Otherwise, I would suggest comparing your environment to the configuration examples and templates in the ISE Secure Wired Access Prescriptive Deployment Guide.

Troubleshooting these 802.1x issues often requires looking at debugs on the switch, packet captures on the endpoint, and possibly Event Viewer logs in Windows. If you need help troubleshooting at this level, it would be best to open a case with TAC.

 

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-01-2020 04:45 PM - edited ‎06-01-2020 04:46 PM

These are pretty generic errors and there could be multiple variables involved, so you would need to provide more information (ISE policy, switch config, etc).

It sounds like the endpoint might be failing 802.1x, falling back to MAB, and then hitting your default AuthZ policy which is sending ACCESS_REJECT. When the endpoint receives an ACCESS_REJECT, it has an internal timer that will continue to try authenticating periodically. A common option to mitigate this periodic retry is to create an AuthZ Profile that sends an ACCESS_ACCEPT with a restrictive DACL and use that for your default AuthZ rule.

 

For troubleshooting examples and suggestions, see the following post:

How To Troubleshoot ISE Failed Authentications & Authorizations 

Go to solution
getaway51
Level 2
Level 2
In response to Greg Gibbs

‎06-01-2020 08:48 PM

Hi,

 

Any idea why the endpoint showing authorized (AZ) in cisco switch -sh auth br and then it will show unauthorized (UZ) for 5-20 sec. Then it will show AZ (IP ping will alive again).

I am thinking it could be a windows10 or ISE bug. 

I even captured the endpoint debug in ISE during these intermittent but not able to find out wht's the error. 

Also wht's the internal timer tht keeps the ep going authorized and unauthorized? but the endpoint nvr shown session connected in ISE. Only in Cisco switch, it shows Authorized.  

   

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to getaway51

‎06-01-2020 10:48 PM

The retry timer for 802.1x (EAP) after the session is terminated due to an ACCESS-REJECT response from the RADIUS server is dependent on the supplicant. I have never found any good documentation on timers used in Windows, but I have seen some aggressive retries (between every 30sec to 2min) in the past on some customer deployments.

As I mentioned before, there could be multiple variables for this type of behaviour.

If this is related your other community post here, I would recommend following the suggestions provided by @hslai.

Otherwise, I would suggest comparing your environment to the configuration examples and templates in the ISE Secure Wired Access Prescriptive Deployment Guide.

Troubleshooting these 802.1x issues often requires looking at debugs on the switch, packet captures on the endpoint, and possibly Event Viewer logs in Windows. If you need help troubleshooting at this level, it would be best to open a case with TAC.

 

Customers Also Viewed These Support Documents