01-26-2016 06:45 PM - edited 03-10-2019 11:25 PM
Hi,
I would like to know what the expected behaviour of the supplicant if the switch port is not configured for dot1x.
I've seen that PCs ( with anyconnect or windows native client ) send around 3 EAPOL messages and ignore dot1x and continue with the network access if there is no response from the authenticator.
but some other devices keep sending the eapol messages and never get the network access.
is the IEEE standard clear on this ?
01-26-2016 08:34 PM
Then that's not an expected behavior. When no response is received, the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.
Can you share "show run interface <inetrface-id>"
How many machines / ports are exhibiting this behavior ?
~ Jatin
01-27-2016 07:04 AM
Hi Jatin,
the interface configuration of the switch is irrelevant as the switch doesn't participate in dot1x.
However, it looks like this
int fa0/1
switchport mode access
switchport access vlan 10
spanning-tree portfast
I agree with your comment " the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state".
but my problem is that I could not find a reference for this argument.
do show me any reference documents ?
01-27-2016 07:32 AM
Well, my thought was to verify if you have configured ports in question with high value of tx-period and max-reauth-req even. The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints and you do have non-IEEE-802.1x. The total time it takes for 802.1X to time out is determined by the following formula:
Timeout = (max-reauth-req +1) * tx-period
Switches have default values of tx-period = 30 seconds and max-reauth-req = 2.
anyways your switchport config looks good :
Yes here is a reference document Ports in Authorized and Unauthorized States
~ Jatin
01-31-2016 10:01 AM
Did the document help you to support your theory? ~ Jatin
01-26-2016 08:35 PM
What switches (make and model) are testing this behavior on?
Thank you for rating helpful posts!
01-27-2016 10:10 AM
I'm afraid the standards are not being followed by some developers of dot1x supplicants, i have also seen devices (Xerox printers) that have no option to fallback from dot1x, if there is no reply, and they simply then get no access as they don't issue a dhcp request before dot1x has been completed, i have also seen this on Avaya ip phones. This is usually a configurable option in that specific device, but not something the standard talks about.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: