07-05-2014 10:38 AM - edited 03-10-2019 09:51 PM
Hi,
Host PCs are trying to authenticate with MAB instead of dot1x. after two failed attempts in MAB, then a fallback happening to dot1x.
Priority and order for authentication is dot1x then mab.
So there is a huge failed attempts happening and lot authentication message to server make the CPU utilization high. Kindly throw some idea tp avoid MAB authentication for host PCs (dot1x supplicant )..
Thank you,
07-07-2014 01:26 PM
The config on the switch does not affect the actual PC. It tells the switch what order to attempt to authenticate with. Let's go back to basics, as it's always helpful:
If the switch is configured correctly with 802.1x (.1x for short), and you have correctly put in the command for dot1x mab, and all other configurations on the ports, etc. are correct, then the port will be "closed" except for LEAP/ EAPOL messages.
So, the PC will request access to the network. It will send an EAPOL msg with .1x request. The switch will forward the request msg in an EAPOL packet to the radius server, requesting access. The radius server will look up the request in SACS. If the device is entered correctly, and depending how the SACS is configured, it will poll AD for the correct .1x certificate. If it finds the correct .1x certificate, it will reply with an "you're ok" message. The switch will receive the message, and if ok, will allow normal traffic to flow across the port.
That's a down-and-dirty way to look at .1x.
The key is this: do ALL of your PC's have issues, or is it just one or two of them? If it's just one or two of them, then I'd suggest running the command show dot1x all [details | statistics | summary] You can also do it per port like show dot1x interface xxx. Great for troubleshooting, as well as the logs.
Again, though, if it's just one or two PC's, I'd make sure that the PC's are correctly configured for 802.1x authentication. I've seen that before. The PC was not configured for 802.1x, so the switch thought it was a MAB device, and immediately went to MAB. I'd bet your configuration allows for it to try it several times, then falls back to 802.1x.
Again, if it's one or two, but others are passing, then I'd say to focus on the PCs. Otherwise, confirm that your config on the PC's port is similar to others that are passing.
07-09-2014 01:46 AM
How is your authentication policy looking?
Do you have a condition for wired 802.1x? Ours looks like this:
|
We also have a condition for wired mab:
Then we have profiled all the devices, and only devices that actually do 802.1x are allowed the condition "802.1x" if they fail back to mab - they fail. same vice versa!
So we have 2 different rules, with different profiled devices selected for each. I´m still testing it, but it seems to be working!
you will find the conditions in the conditions/authorization/compound conditions. and they are actually a cisco default condition.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide