NAC Failure | Authentication failed for client - TimeOut

ramirezcyrus · ‎01-30-2025

Jan 30 17:11:56.881: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:12:41.882: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:13:26.884: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:16:35.380: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:26:56.744: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:27:41.746: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

Jan 30 17:28:26.748: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (8cae.4cc6.58f6) with reason (Timeout) on Interface Gi2/0/29 AuditSessionID 035A170A000002F1B83067BE Username: anonymous

MHM Cisco World · ‎01-30-2025

Timeout it seem SW can not connect to server

Share

Show aaa server <<-

Debug aaa authentication <<-

MHM

ramirezcyrus · ‎01-30-2025

Port configuration:

nterface <port number>

description User-Voice Vlan_Nac-Config

switchport access vlan <vlan id>

switchport mode access

switchport voice vlan <vland id>

device-tracking attach-policy q-device-tracking

ip access-group IPV4_PRE_AUTH_ACL in

no cdp enable

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 15

spanning-tree portfast

MHM Cisco World · ‎01-30-2025

authentication event fail action next <<- this not need

authentication open <<- this most remove

Also share output of command I share above

MHM

ramirezcyrus · ‎01-30-2025

The issue seems to be the docking stations. Connecting directly to the laptops and desktops we are able to authenticate within 15 seconds.

Rob Ingram · ‎01-30-2025

@ramirezcyrus the MAC address in the output appears to be a Plugable Technologies dock? So that dock is failing authentication in ISE and being rejected? Look to enable MAC passthrough https://community.cisco.com/t5/network-access-control/docking-station-best-practice-with-802-1x-authentication-and/td-p/4719031

ramirezcyrus · ‎01-30-2025

We did think of this but unfortunately, we are not able to complete this task. The laptops do not have this capability.

ramirezcyrus · ‎01-30-2025

We are not testing wired autoconfig disabled to see if that can work.

ramirezcyrus · ‎01-30-2025

Apologies for my last comment. I meant to say, I want to test to see if I disable Wired AutoConfig and kept Wireless AutoConfig enabled only, if I can bypass this issue. Since the BIOS of our laptops do not allow mac address bypass, I'm at a loss what else I can do. This method I'm suggesting does not fullfil our requirement but it would stop the calls until I can figure out how to resolve this docking station issue. Please advise, thanks.

ramirezcyrus · ‎01-30-2025

That won't work. Some brain surgeon configure EAP-PEAP for wireless and we are doing EAP-TEAP for wired.... Any suggestions.