Supplicant behaviour if the switch is not configured for dot1x

wkw.domain1 · ‎01-26-2016

Hi,

I would like to know what the expected behaviour of the supplicant if the switch port is not configured for dot1x.

I've seen that PCs ( with anyconnect or windows native client ) send around 3 EAPOL messages and ignore dot1x and continue with the network access if there is no response from the authenticator.

but some other devices keep sending the eapol messages and never get the network access.

is the IEEE standard clear on this ?

Jatin Katyal · ‎01-26-2016

Then that's not an expected behavior. When no response is received, the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.

Can you share "show run interface <inetrface-id>"

How many machines / ports are exhibiting this behavior ?

~ Jatin

~Jatin

wkw.domain1 · ‎01-27-2016

Hi Jatin,

the interface configuration of the switch is irrelevant as the switch doesn't participate in dot1x.

However, it looks like this

int fa0/1

switchport mode access

switchport access vlan 10

spanning-tree portfast

I agree with your comment " the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state".

but my problem is that I could not find a reference for this argument.

do show me any reference documents ?

Jatin Katyal · ‎01-27-2016

Well, my thought was to verify if you have configured ports in question with high value of tx-period and max-reauth-req even. The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints and you do have non-IEEE-802.1x. The total time it takes for 802.1X to time out is determined by the following formula:

Timeout = (max-reauth-req +1) * tx-period

Switches have default values of tx-period = 30 seconds and max-reauth-req = 2.

anyways your switchport config looks good :

Yes here is a reference document Ports in Authorized and Unauthorized States

~ Jatin

~Jatin

Jatin Katyal · ‎01-31-2016

Did the document help you to support your theory? ~ Jatin

~Jatin

nspasov · ‎01-26-2016

What switches (make and model) are testing this behavior on?

Thank you for rating helpful posts!

jan.nielsen · ‎01-27-2016

I'm afraid the standards are not being followed by some developers of dot1x supplicants, i have also seen devices (Xerox printers) that have no option to fallback from dot1x, if there is no reply, and they simply then get no access as they don't issue a dhcp request before dot1x has been completed, i have also seen this on Avaya ip phones. This is usually a configurable option in that specific device, but not something the standard talks about.