07-24-2018 05:19 AM
Good Day!
I'm using WS-C2960X-48TS-L IOS 15.2(4)
I have 802.1x on my switchports up and running. Some device are successfully pass authentication, some are not.
When they fail 802.1x, switchport not falls into err-disable state.
Jul 24 11:58:29.028: %AUTHMGR-5-START: Starting 'dot1x' for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %DOT1X-5-FAIL: Authentication failed for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 0019.99fa.3ebd on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %AUTHMGR-5-START: Starting 'mab' for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.186: %MAB-5-FAIL: Authentication failed for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.190: %AUTHMGR-7-STOPPING: Stopping 'mab' for client 0019.99fa.3ebd on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.190: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Interface Config:
description DOT1X
switchport access vlan 101
switchport mode access
authentication event fail action next-method
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 3
dot1x timeout tx-period 7
dot1x timeout supp-timeout 3
dot1x max-req 10
dot1x max-reauth-req 10
Thank You in advance!
07-24-2018 05:43 AM
Port is not intended to end up in err-disable, this behavior is expected.
You might be referring "switchport port-security" command which is not recommended when enabling dot1x.
Danny
07-24-2018 06:07 AM
Good Day, Danny!
Thank You for your answer!
First of all switchport port-sec is not an option. And on another switch (WS-C2960G-48TC-L IOS 12.2(5)) all failed ports falls to err-disable, maybe I'm missing something? Also tried authentication violation shutdown but it didn't help.
07-24-2018 07:55 AM
as i can see from your configuration,
authentication event fail action next-method
it will keep looping if there was no reject response from the AAA server, since you dont have local web auth correct.
try to quarantine the port
use the below command
authentication event fail authorize vlan #
this link is very useful focus at the part when you dont have local-web auth.
for error disable its something for switchport security, in dot1x the state machine will say the port is unauthorized state.
i hope this is helpful for you :)
07-25-2018 12:15 AM - edited 07-25-2018 12:17 AM
Good Day!
Thanks for your answer!
1. I removed authentication event fail action next-method and it didn't change anyting
2. Command authentication event fail action authorize vlan # is not working because host not failing authorization but even not response to EAPOL I think.
3. Command authentication event no-response action authorize vlan # actually did help but it's inconvenient to monitor. I mean it's more easy way if you are use show int status err to see locked ports.
So there is no way to make ports to fall to err-disable states?
for error disable its something for switchport security, in dot1x the state machine will say the port is unauthorized state.
For dot1x there is err-disable state: Gi1/0/39 DOT1X err-disabled security-violation
07-25-2018 04:27 AM
07-25-2018 04:29 AM
Just decide in a "Quarantine" vlan and base your search on that .
So for example you create a failed vlan of 666
Now base your search on that vlan and any ports in that vlan our your failed endpoints
07-25-2018 12:06 PM
oh understand your point, now error disable in this situation can happen for example if you have single host but there was another mac address trying to connect.
the way the current configuration is flex auth, mab and dot1x while next method is configured they will keep looping.
remember the vlan must be created on the switch in order to fail into it.
let me know how it goes and please let us know the example you shared with err-disable has the same configuration or not
07-26-2018 01:39 AM
Good Day!
Thanks for your answers.
Configuration for port that falls into err-disable:
switchport access vlan 101
switchport mode access
authentication event no-response action authorize vlan 650
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 40
dot1x timeout tx-period 1
dot1x timeout supp-timeout 5
dot1x max-req 7
dot1x max-reauth-req 7
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
no-response vlan is working well. If there are no other ideas how to make no-responsive devices to fall to err-disable, I think I'll stick with that. Thank You
08-03-2018 12:50 PM
as far i know the violation happened on dot1x when there is for example more than one mac address connect then it fails in error-disable
check security violation
now remember you didn't configure host mode, which by default is single and allow only one mac address, not sure what is happening on the switch which you shared its configuration but normally if authentication failed is not considered security violation the port will be unauthorized status.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide