Solved: Re: Ghost authentication session with 802.1X

AdrianDessaigne2301 · ‎03-01-2021

Hello !

I have a weird behavior trying to use 802.1X with my Alcatel Phone and my PC.

My computer is connected behind the phone (Alcatel 8058s), and the phone is connected to the switch port. When I disconnect the PC, I still see it in the list of authentication sessions :

SWITCH#show authentication session

Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 040e.3cc0.db1d 802.1X DATA Auth 0A0363F900000024004F707D <-----
Gi1/0/13 487a.5514.b085 mab VOICE Auth 0A0363F900000025005006EC

I tough changing the value of "authentication timer reauthenticate" could fix the issue, but even when disconnected, the PC still get reauthenticated.

Here is the version of my switch : WS-C2960X-24TS-L 15.2(4)E8

Here is the configuration of the port :

switchport access vlan X
switchport mode access
switchport voice vlan Y
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 14400
authentication timer restart 10
authentication timer unauthorized 300
authentication violation replace
mab
no snmp trap link-status
mls qos trust cos
macro description cisco-desktop
dot1x pae authenticator
dot1x timeout quiet-period 50
dot1x timeout tx-period 5
dot1x timeout supp-timeout 25
dot1x max-req 3
dot1x max-reauth-req 5
spanning-tree portfast edge
spanning-tree bpduguard enable

Thanks for your answers and help !

Adrian.

thomas · ‎03-13-2021

The phone needs to support either proxy EAPOL-Logoff or CDP 2nd Port Disconnect. Either of these features will tell the switch when the endpoint behind it disconnects so it knows to drop them.

Phone & Collaboration Authentication Capabilities lists the options for some phones but not Alcatel so you'll need to research it for yourself.

Please add what you find in this thread.

View solution in original post

Marcelo Morais · ‎03-01-2021

Hi @AdrianDessaigne2301 ,

it's not recommended to use port-security and dot1x in the same configuration. Could you please remove the port-security commands and try again?

Hope this helps !!!

AdrianDessaigne2301 · ‎03-01-2021

Hi @Marcelo Morais ,

Thanks for your answers. Unfortunatly, after removing all port-security configuration from the port, the issues is still there. (PC still showing in auth session list after disconnecting it).

Here is the new config of the port :

switchport access vlan X
switchport mode access
switchport voice vlan Y
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer unauthorized 300
authentication violation replace
mab
no snmp trap link-status
mls qos trust cos
macro description cisco-desktop
dot1x pae authenticator
dot1x timeout quiet-period 50
dot1x timeout tx-period 5
dot1x timeout supp-timeout 25
dot1x max-req 3
dot1x max-reauth-req 5
spanning-tree portfast edge
spanning-tree bpduguard enable

The only fix I could find is to reset the port or the authentication sessions, but I don't want to leave that manual (+ we do have a lot's of switches).

Adrian.

thomas · ‎03-13-2021

The phone needs to support either proxy EAPOL-Logoff or CDP 2nd Port Disconnect. Either of these features will tell the switch when the endpoint behind it disconnects so it knows to drop them.

Phone & Collaboration Authentication Capabilities lists the options for some phones but not Alcatel so you'll need to research it for yourself.

Please add what you find in this thread.