- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2022 07:34 AM - edited 06-24-2022 07:37 AM
Hi all,
i'm stuck understanding how the authentication timer and attempts work with 802.1X. I'm using catalyst switch 3850 (OS XE 16.5.1a). The interface config is the following
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access device-tracking attach-policy DeviceTrackingPolicy authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server mab dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 end
and the config of dot1x PAE is the following
PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 3 MaxReq = 2 TxPeriod = 7
As you can see from the reported figure, the total authentication attempts are 2 (with 3 attempts of re-authentication). Also the time period between an EAP failure and the next attempts is equal to 60 seconds.
Does anybody know hot to configure this 2 type of parameters?
Solved! Go to Solution.
- Labels:
-
AAA
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2022 10:45 PM
Hi @Marco__89 ,
1st: the changes are:
interface GigabitEthernet1/0/46
switchport voice vlan 707
authentication event fail retry 3 action next-method
authentication timer restart 10
dot1x timeout quiet-period 18
dot1x timeout tx-period 1
spanning-tree portfast
2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.
3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.
4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."
Try to change the dot1x max-eap-req command from the default 2 to other value.
Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2022 01:11 PM
Hi @Marco__89 ,
please take a look at the following:
(config-if)# dot1x max-reauth-req 3
(config-if)# authentication event fail retry 2
(config-if)# dot1x timeout tx-period 7
(config-if)# dot1x timeout quiet-period 60 >> the default
in this example the SW sends the following Messages to ISE:
1x Authentication Request
3x Reauthentication Message (dot1x max-reauth-req command)
2x Retries (authentication event fail retry command)
So the Total Messages sent by the SW are: (1 + 3) * 2 = 8.
Note: the Quiet Period default value is 60 sec (the time interval that the device remains in a quiet state following a failed Authentication exchange)
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2022 02:36 AM
Thanks Marcelo for the reply.
I changed a bit the config:
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access switchport voice vlan 707 device-tracking attach-policy DeviceTrackingPolicy authentication event fail retry 3 action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer restart 10 authentication timer inactivity server mab dot1x pae authenticator dot1x timeout quiet-period 18 dot1x timeout tx-period 1 dot1x max-reauth-req 3 spanning-tree portfast end
Here i reported the authentication process.
Until packet n. 1498, PC is trying to connect with its windows native 802.1x supplicant. ISE (and therefore the switch) send to it an access-reject (failure eap message). At this point the switch send:
- 1 Access-Request (authentication message)
- 3 Reauthentication Attempt messages
After this 4 messages, the switch sends an EAP failure beacause he didn't receive any response from the PC. Note that the PC doesn't respond because (this is mine hypotheisy) its supplicant is in a timeout state and therefore it doesn't respond for a time interval period (i can not find its value neither from windows configuration nor from web forum). After 10 seconds (value of restart timer) it begins the process (sending 4 messages). After that, the switch try to use MAB and doing so it is able to authenticate the user.
In this case the quiet period timer (that i configured with 18 seconds) dosen't beeing used. Instead the restart timer is used.
Also i configured (as you sad) the number of attempts with
authentication event fail retry 3 action next-method
However, as you can see, the switch used 2 attempts to authenticate the PC. Trying also to change this value to 4,5,6 the behaviour is the same as reported in the figure.
Can you explain to me this 2 behavior? Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2022 10:45 PM
Hi @Marco__89 ,
1st: the changes are:
interface GigabitEthernet1/0/46
switchport voice vlan 707
authentication event fail retry 3 action next-method
authentication timer restart 10
dot1x timeout quiet-period 18
dot1x timeout tx-period 1
spanning-tree portfast
2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.
3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.
4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."
Try to change the dot1x max-eap-req command from the default 2 to other value.
Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.
Hope this helps !!!
