Solved: How long does dot1x re-authentication happens after mab fails?

getaway51 · ‎07-08-2020

Hi,

I am seeing context visibility->ep, status is Disconnect(grey) with IP address shown.

However I am wondering shld I ignore this ep. OR add this ep MAC address

Does "Disconnect(grey) with IP address" shows the ep has previously PASSED authentication?

In switches, when i do show authentication brief, i noticed UZ (Status: Unauthorized, Domain: UNKNOWN) below for 48992s. Does this happen (Status: Unauthorized, Domain: UNKNOWN) if someone logout from the domain but leaves the computer ON? I am confused if this is a failed machine or not.

Interface MAC Address AuthC AuthZ Fg Uptime
-----------------------------------------------------------------------------
Gi1/0/42 f430.b913.e245 m:CF d:RN UZ: SA- FA- X 48992s

sh auth sessions int gi1/0/23 det
Interface: GigabitEthernet1/0/23
IIF-ID: 0x1CD32D60
MAC Address: f430.b913.e245
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: f430b913e245
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: AC1E8B660000000E2BF2E56E
Acct Session ID: Unknown
Handle: 0x00000004
Current Policy: DOT1X

Method status list:
Method State
dot1x Running
mab Stopped

Mike.Cifelli · ‎07-08-2020

Quick overview of 802.1x timers:
Once an interface is UP, the NAD will send an EAP Request-Identity frame. The NAD will then wait for a period of time defined by the 'dot1x timeout tx-period' timer and then sends another Request-Identity frame. The number of times the NAD will resend the Request-Identity frames is defined by 'dot1x max-reauth-req' variable. The time it takes for 802.1X to timeout is determined by the following formula:
Timeout = (max-reauth-req +1) * tx-period

Quick MAB failover timer overview:
Once 802.1X finally times out and the fallback mechanism was not successful (AKA mab), the NAD waits a period of time which is defined by 'authentication timer restart' timer, which the NAD then starts the authentication process over from the beginning.

HTH!

View solution in original post

Mike.Cifelli · ‎07-08-2020

Quick overview of 802.1x timers:
Once an interface is UP, the NAD will send an EAP Request-Identity frame. The NAD will then wait for a period of time defined by the 'dot1x timeout tx-period' timer and then sends another Request-Identity frame. The number of times the NAD will resend the Request-Identity frames is defined by 'dot1x max-reauth-req' variable. The time it takes for 802.1X to timeout is determined by the following formula:
Timeout = (max-reauth-req +1) * tx-period

Quick MAB failover timer overview:
Once 802.1X finally times out and the fallback mechanism was not successful (AKA mab), the NAD waits a period of time which is defined by 'authentication timer restart' timer, which the NAD then starts the authentication process over from the beginning.

HTH!

hslai · ‎07-09-2020

...
Does "Disconnect(grey) with IP address" shows the ep has previously PASSED authentication?

...

Not necessarily. If the network device knows about the client IP address, it may send that in as part of RADIUS authentication requests so learned by ISE.

PS: Pavan already answered it in your Context visibilty status is disconnected (grey) also showing IP Address

getaway51 · ‎07-12-2020

Hi,

"Disconnect(grey) with IP address" shows the ep has previously PASSED authentication?

Do you meant to say that with or without IP address doesn't prove anything.

But Status: Disconnect (grey) means ep has previously PASSED authentication.

Is the above statement correct?