cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

993
Views
5
Helpful
3
Replies

Ghost authentication session with 802.1X

Hello !

I have a weird behavior trying to use 802.1X with my Alcatel Phone and my PC.

My computer is connected behind the phone (Alcatel 8058s), and the phone is connected to the switch port. When I disconnect the PC, I still see it in the list of authentication sessions :

 

SWITCH#show authentication session

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 040e.3cc0.db1d 802.1X DATA Auth 0A0363F900000024004F707D  <-----
Gi1/0/13 487a.5514.b085 mab VOICE Auth 0A0363F900000025005006EC

 

I tough changing the value of "authentication timer reauthenticate" could fix the issue, but even when disconnected, the PC still get reauthenticated.

 

Here is the version of my switch : WS-C2960X-24TS-L 15.2(4)E8

 

Here is the configuration of the port :

switchport access vlan X
switchport mode access
switchport voice vlan Y
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 14400
authentication timer restart 10
authentication timer unauthorized 300
authentication violation replace
mab
no snmp trap link-status
mls qos trust cos
macro description cisco-desktop
dot1x pae authenticator
dot1x timeout quiet-period 50
dot1x timeout tx-period 5
dot1x timeout supp-timeout 25
dot1x max-req 3
dot1x max-reauth-req 5
spanning-tree portfast edge
spanning-tree bpduguard enable

 

Thanks for your answers and help !

Adrian.

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

The phone needs to support either proxy EAPOL-Logoff or CDP 2nd Port Disconnect. Either of these features will tell the switch when the endpoint behind it disconnects so it knows to drop them.

Phone & Collaboration Authentication Capabilities lists the options for some phones but not Alcatel so you'll need to research it for yourself.

Please add what you find in this thread.

View solution in original post

3 REPLIES 3
Marcelo Morais
Advocate

Hi @AdrianDessaigne2301 ,

 it's not recommended to use port-security and dot1x in the same configuration. Could you please remove the port-security commands and try again?

 

Hope this helps !!!

Hi @Marcelo Morais ,

Thanks for your answers. Unfortunatly, after removing all port-security configuration from the port, the issues is still there. (PC still showing in auth session list after disconnecting it).

 

Here is the new config of the port :

switchport access vlan X
switchport mode access
switchport voice vlan Y
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer unauthorized 300
authentication violation replace
mab
no snmp trap link-status
mls qos trust cos
macro description cisco-desktop
dot1x pae authenticator
dot1x timeout quiet-period 50
dot1x timeout tx-period 5
dot1x timeout supp-timeout 25
dot1x max-req 3
dot1x max-reauth-req 5
spanning-tree portfast edge
spanning-tree bpduguard enable

 

The only fix I could find is to reset the port or the authentication sessions, but I don't want to leave that manual (+ we do have a lot's of switches).

 

Adrian.

thomas
Cisco Employee

The phone needs to support either proxy EAPOL-Logoff or CDP 2nd Port Disconnect. Either of these features will tell the switch when the endpoint behind it disconnects so it knows to drop them.

Phone & Collaboration Authentication Capabilities lists the options for some phones but not Alcatel so you'll need to research it for yourself.

Please add what you find in this thread.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel