Unable to configure max authentication request with cisco switch

Marco__89 · ‎06-08-2022

Hi all,

i'm trying to configure dot1x authentication in a catalyst switch (version IOS XE 16.05.01a). The interface config is reported below:

interface GigabitEthernet1/0/46
 switchport access vlan 601
 switchport mode access
 device-tracking attach-policy DeviceTrackingPolicy
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 50
 authentication violation restrict
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 3
end

I want to configure the maxium number of attempts that the switch try to authenticate the user. Until now switch sends 2 block of messages, each one composed by:

1 authentication request
3 reauthentication message (dot1x max-reauth-req command)

So the total messages sent by the switch are (1 + 3) * 2 = 8.

What i don't get is the factor 2. Switch try to authenticate the device 2 times. How can i change this parameter to something else (like 3)? In this way the toal number of messages are (1 + 3) * 3 = 12.

Thanks.

Marcelo Morais · ‎06-08-2022

Hi @Marco__89 ,

please take a look at the following command:

(config-if) authentication event fail retry 2

by default Authentication is attempted two times after the initial failed attempt.

Hope this helps !!!

Marco__89 · ‎06-08-2022

Hi Marcelo, thank you for your reply.

However the command you are referring to is not supported from my switch version (shown in figure below).

In fact when i try to insert the command, switch doesn't allow me to press enter. I must put an action as reported from figure below.

How can i solve this issue?

Marcelo Morais · ‎06-08-2022

Hi @Marco__89

please try the following

(config-if)# authentication event fail retry 4 action next-method

Hope this helps !!!

Marco__89 · ‎06-08-2022

I tried inserting your command but it did't work. It uses the default number of attempts of 2. I report below the packet capture related to the previous config:

So i discovered a strange behaviour which is reported below.

In the previous config i used the following two commands

 authentication order dot1x mab
 authentication priority dot1x mab

I start reasoning if these two were the source of the problem because the next-method specified was MAb but it was tuned off with the "no mab" interface command. So i edited the previous command into these:

authentication order dot1x
 authentication priority dot1x

The current config is

 switchport access vlan 601
 switchport mode access
 device-tracking attach-policy DeviceTrackingPolicy
 authentication event fail retry 4 action next-method
 authentication open
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 50
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 3

Now with this config, switch tries continuously to authenticate the user (not following the 4 attempts configured wit your command).

Any other idea?

MHM Cisco World · ‎06-08-2022

some point
1-auth is OPEN ???
2-then you config the
order dot1x
priority dot1x
and failed next-method? next-method with not config the Web make LOOP for auth.
if you want to make SW change to MAB then only
order dot1x mab
priority dot1x mab

that it no need next-method

Marcelo Morais · ‎06-08-2022

Hi @Marco__89 ,

try the:

#show switch dot1x interface GigabitEthernet 1/0/46

to check the dot1x info.

Hope this helps !!!