cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21647
Views
0
Helpful
3
Replies

dot1x - "clear authentication session" - question and reflections

Hi all,

 

I'm a little bit concerned/intrigued regarding the command "clear authentication sess"

Im using it a lot when testing 802.1x on ISE deployment and haven't noticed before one important thing. It doesn't triger EAPoL-START from the swtich when MAB was used as a fallback! Is it right? can someone confirm it?

when endpoint is authenticated using 8021.x then "clear auth" triggers EAPoL-START as supposed to.

when endpoint is authenticated by MAB - then nothing.

 

when for some reasons supplicant is not working right on the end client, and we are working on fixing it but it is seen as MAB (for example with CWA) then the only way to make it work is SHUT/NO SHUT the port

 

In my opinion after clearing the session the switch should send this frame nevertheless without any implacation whether it is going to authenticate by MAB or 802.1x

 

What do u think?

 

regards

 

3 Replies 3

paul46
Level 1
Level 1

In my opinion after clearing the session the switch should send this frame nevertheless without any implacation whether it is going to authenticate by MAB or 802.1x

That's correct. Here is my test and explanation.

Refer to image "Before Clear Session" - Enabled ISE on IP Phone. It's authenticated with MAB. 

I issued "Clear Authentication Session Int" command (refer to second image below) and it started checking for dot1x as per the priority and order prior to MAB. After default time (60 sec) expires, it successfully re authenticated my IP Phone using MAB.

So you really don't need to SHUT/ NO SHUT to re authenticate MAB endpoints. Hope this answers your questions.

Cheers,

D

thx for interest in my topic :)

now please change the order (mab 1st then dot1x) and check again.

Unfortunatelly I dont remember IOS version from my previous tests however I believe there was a change of behaviour in the new versions 15.2.x

regards

The order should not affect as long as you have a valid MAC Address in Cisco ISE database. In fact, it took less time to authenticate my IP Phone with preferred MAB as dot1x had to fail anyway. 

Switch version > 15.0 should fine with ISE. Haven't encountered any issue as yet.