cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3860
Views
0
Helpful
10
Replies

dot1x/mab behaviour with flexauth

bern81
Level 1
Level 1

Dear all,

we have the following 802.1x config on our 802.1x switchport:

 

dot1x system-auth-control

 

interface FastEthernet0/8
 description Bay_38_A036
 switchport access vlan 238
 switchport mode access
 switchport nonegotiate
 load-interval 30
 authentication event fail action next-method
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 90
 authentication timer reauthenticate 60
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 1
 storm-control broadcast level 5.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable.

 

On this port we have win10 endpoint with eap-tls configured.

I produced and error by removing the CA-cert that signed the identity certificate  of the ISE from this endpoint.

 

When i shut/no shut the interface i see the following behaviour:

 

debug radius authentication

 

MAB starts and after approx 1/2 sec 802.1x starts (i presume the switch receives an EAPoL Start from the endpoint.

Dot1X fails  and after 20 sec (10x (1+1)) it tries dot1x and timeouts.

But we don't see any failover to MAB as next-method.

SW130_A038#sh authentication sessions int f0/8
            Interface:  FastEthernet0/8
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A000C82000014EAAC2E4252
      Acct Session ID:  0x0001F8EC
               Handle:  0xF40004D8

Runnable methods list:
       Method   State
       mab      Running
       dot1x    Not run

 

and the port stays in this state forever. i don't see on the port any "restart timer" kicking off.

============================================================================

If i modify this cmd:

int f0/8

authentication event fail retry 1 action next-method

and i bounce the port:

MAB starts and after approx 1/2 sec 802.1x starts (i presume the switch receives an EAPoL Start from the endpoint.

Dot1X fails  and after 20 sec (10x (1+1)) it tries dot1x and timeouts.it directly performs a failover to the next-method (MAB) and authenticate and authorize successfully.

 

SW130_A038#sh authentication sessions int f0/8
            Interface:  FastEthernet0/8
          MAC Address:  4c52.620c.3a37
           IP Address:  Unknown
            User-Name:  4C-52-62-0C-3A-37
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  60s (local), Remaining: 12s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A000C82000014ECAC3E4816
      Acct Session ID:  0x0001F906
               Handle:  0xDA0004F3

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

 

And it periodically reauthenticate via MAB every 60sec (timer reauthenticate 60).

 

Is this behavior normal ? and why in the first config it is not failing over to the enxt method?

Am i missing something?

 WS-C2960+24TC-S    15.0(2)SE6            C2960-LANLITEK9-M

 

Please advise what normally should be the correct behavior and if there is something wrong in the configuration/timers.

PS: we are using order MAB Dot1x because at the beginning we will have empty endpoints that will be provisioned via PXE boot.

After the installation is successful the Win10 machine will have a pre-installed configuration with EAP-TLS and all the required digital certs in the cert store.

 

Many thanks in advance

 

 

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Demystifying RADIUS Server Configurations - Cisco explains about various timers.

Your switch is C2960-LANLITEK9-M, which might have limited support on the features. Please check with the switch platform support teams.

View solution in original post

10 Replies 10

paul
Level 10
Level 10

Your first test was invalid:

 

SW130_A038#sh authentication sessions int f0/8
            Interface:  FastEthernet0/8
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN

 

Nothing happens until the MAC address is learned on the port.  You have to map out the behavior after the MAC address is learned.  I don't ever do "order mab dot1x" as that can have other issues, but if it is working for you and your deployment continue to use it.

howon
Cisco Employee
Cisco Employee

I would not test missing certificate as failed scenario as Windows supplicant tends to keep on trying even when the supplicant lacks the certificate. Rather try to force supplicant to untrust ISE certificate instead for failure trigger. Remove 'authentication timer reauthenticate 60' and 'authentication periodic' as it is too frequent for reauth.

 

authentication periodic is fine, but use "authentication timer reauthenticate server" and set the reauthentication timer in ISE. I usually set my reauth timer to 65,000 seconds in ISE.




Hi Paul,

I lowered down the reauthentication timers just for lab purpose.

This is weird to me why it is not learning the MAC and why when i add retry 1, it start working.

 

 

Hello Hosuk,

 

this is exactly what i did.

I removed the ISE-CA cert from the windows "Trusted root certificate store" to make the supplicant untrust the ISE-Cert.

This issue here is that for some reason MAB is not working unless i add the retry 1 cmd which makes no sense at all.

Could it be a bug ?

Regarding the timers, i lowered them just for Lab purpose.

 

Thank you in advance.

 

 

hslai
Cisco Employee
Cisco Employee

It might be specific to your switch platform model and IOS release train. authentication event fail shows the command default is that,

 

Authentication is attempted two times after the initial failed attempt.

If you suspect it a bug, please open a TAC case so that TAC may help recreating it and gather the debugging info from the switch.

Hi Hslai,
Just to clarify things since the switch behavior is confusing me and i don't know anymore the correct behaviour.
authentication event fail action next-method
in my config with order MAB Dot1X (with Failed Dot1X) what should it do?
If you can name the timers involved it would be great.

Thank you in advance.

One more question regarding this topic: I have some switches with IOS Version

WS-C2960+24LC-S           15.2(2)E6             C2960-LANLITEK9-M

on the interface level i don't see "authentication event fail server" command.

Is there any alternative to configure something similar to:

 

 authentication event server dead action authorize vlan 238
 authentication event server alive action reinitialize

 

To put the interface into critical Vlan in case ISE are dead?

 

Or do i have to upgrade the IOS ?

 

 

 

 

 

 

 

 

 

 

 

dooo.PNG

hslai
Cisco Employee
Cisco Employee

Demystifying RADIUS Server Configurations - Cisco explains about various timers.

Your switch is C2960-LANLITEK9-M, which might have limited support on the features. Please check with the switch platform support teams.