Re: re-authentication for Wired Dot1x

parmsing · ‎03-05-2019

Hi Team,

Currently I am working with the customer who had deployed wired dot1x in their environment, As they have some of the switches which does not support IBNS 2.0 they are currently going ahead with IBNS 1.0 implementation at this point.

We have FlexAuth implemented for the customer with re-authentication enabled. Here is the interface configuration snip from the switch.

switch(config-if)# switchport access vlan <X>

switch(config-if)# switch access voice <X>

switch(config-if)# switchport mode access

switch(config-if)# authentication event fail retry 0 action next-method

switch(config-if)# dot1x pae authenticator

switch(config-if)# authentication port-control auto

switch(config-if)# spanning-tree portfast

switch(config-if)# authentication control-direction in

switch(config-if)# authentication order mab dot1x

switch(config-if)# authentication priority dot1x mab

switch(config-if)# ip access-group ACL-PRE-AUTH in

switch(config-if)# authentication open !!!!!Used for Monitor Mode

switch(config-if)# authentication violation restrict

switch(config-if)# dot1x timeout tx-period 10

switch(config-if)# authentication periodic

switch(config-if)# authentication timer reauthenticate server

SWITCH(config-if)# authentication timer inactivity server dynamic

switch(config-if)# authentication host-mode multi-domain

switch(config-if)# mab

switch(config-if)# authentication event server dead action reinitialize vlan CRITICAL_VLAN

switch(config-if)# authentication event server dead action authorize voice

switch(config-if)# authentication event server alive action reinitialize

when the reauth timer expires (60 minutes) our Dot1x windows machines are dropping into the default MAB Authz policy which is a known issue. As per the flexible auth document , “if you do perform reauthentication, reauthentication always returns to the first method (MAB).”

We can use Cisco AV Pair = “termination-action-modifer=1” to instruct switch to use the last successful method. This does not seems to work with Catalyst 2960X running Version 15.2(6)E1.

Also I did not find much information for the same on Cisco documents. As this is not supported by some devices. We enabled Advance settings for the supplicant, which seems to fix this issue, Below is a screenshot of the group policy config that does seems to fix the issue.

I would like to ask for your advice, should we suggest customer to proceed with the above settings for supplicants “advance security settings enabled” or do we have any other workaround which can force switch re-authentication to use dot1x for dot1x capable devices?

Appreciate your assistance on this,

Thanks and Regards,

Parm

bern81 · ‎03-05-2019

Hi,

I run into the same nightmare with order mab dot1x and priority dot1x mab by facing intermittent loops especially if you get authenticated with mab, then after few minutes the endpoint sends eapol start packet.

As an advice use order dot1x mab. if you are afraid of DHCP timeout, you can reduce the dot1x tx timeout period to lets say 4 sec , like this after maximum 12 sec if shifts to the next method if the first fails.

Also put the reauthenticate timer to higher value than 60 min.

I hope this helped, knowing that this is not exactly your question :)

parmsing · ‎03-11-2019

Thanks Mate,

Yes reversing order is another option but I was wondering is changing advance settings for dot1x is going to address this issue permanently or temporarily and if this is suggested by ISE Team.

Regards,

Parm