Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
5
Helpful
3
Replies

Unknown behavior of authentication timer and attempts

Go to solution
Marco__89
Level 1
Level 1

‎06-24-2022 07:34 AM - edited ‎06-24-2022 07:37 AM

Hi all,

i'm stuck understanding how the authentication timer and attempts work with 802.1X. I'm using catalyst switch 3850 (OS XE 16.5.1a). The interface config is the following

 

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 device-tracking attach-policy DeviceTrackingPolicy
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
end

and the config of dot1x PAE is the following 

PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 3
MaxReq                    = 2
TxPeriod                  = 7

As you can see from the reported figure, the total authentication attempts are 2 (with 3 attempts of re-authentication). Also the time period between an EAP failure and the next attempts is equal to 60 seconds.

 

timer.PNG

 

Does anybody know hot to configure this 2 type of parameters? 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to Marco__89

‎06-28-2022 10:45 PM

Hi @Marco__89 ,

1st: the changes are:

interface GigabitEthernet1/0/46
 switchport voice vlan 707
 authentication event fail retry 3 action next-method
 authentication timer restart 10
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 spanning-tree portfast

2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.

3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.

4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."

 

Try to change the dot1x max-eap-req command from the default 2 to other value.

 

Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.

 

Hope this helps !!!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎06-27-2022 01:11 PM

Hi @Marco__89 ,

 please take a look at the following:

(config-if)# dot1x max-reauth-req 3
(config-if)# authentication event fail retry 2
(config-if)# dot1x timeout tx-period 7
(config-if)# dot1x timeout quiet-period 60 >> the default

in this example the SW sends the following Messages to ISE:
1x Authentication Request
3x Reauthentication Message (dot1x max-reauth-req command)
2x Retries (authentication event fail retry command)
So the Total Messages sent by the SW are: (1 + 3) * 2 = 8.

Note: the Quiet Period default value is 60 sec (the time interval that the device remains in a quiet state following a failed Authentication exchange)

 

Hope this helps !!!

Go to solution
Marco__89
Level 1
Level 1
In response to Marcelo Morais

‎06-28-2022 02:36 AM

Thanks Marcelo for the reply.

I changed a bit the config:

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 707
 device-tracking attach-policy DeviceTrackingPolicy
 authentication event fail retry 3 action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 10
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 dot1x max-reauth-req 3
 spanning-tree portfast
end

Here i reported the authentication process. 

Until packet n. 1498, PC is trying to connect with its windows native 802.1x supplicant. ISE (and therefore the switch) send to it an access-reject (failure eap message). At this point the switch send:

  • 1 Access-Request (authentication message)
  • 3 Reauthentication Attempt messages

After this 4 messages, the switch sends an EAP failure beacause he didn't receive any response from the PC. Note that the PC doesn't respond because (this is mine hypotheisy) its supplicant is in a timeout state and therefore it doesn't respond for a time interval period (i can not find its value neither from windows configuration nor from web forum). After 10 seconds (value of restart timer) it begins the process (sending 4 messages). After that, the switch try to use MAB and doing so it is able to authenticate the user.

solo.PNG

 

In this case the quiet period timer (that i configured with 18 seconds) dosen't beeing used. Instead the restart timer is used.

Also i configured (as you sad) the number of attempts with

authentication event fail retry 3 action next-method

However, as you can see, the switch used 2 attempts to authenticate the PC. Trying also to change this value to 4,5,6 the behaviour is the same as reported in the figure.

Can you explain to me this 2 behavior? Thanks!

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Marco__89

‎06-28-2022 10:45 PM

Hi @Marco__89 ,

1st: the changes are:

interface GigabitEthernet1/0/46
 switchport voice vlan 707
 authentication event fail retry 3 action next-method
 authentication timer restart 10
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 spanning-tree portfast

2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.

3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.

4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."

 

Try to change the dot1x max-eap-req command from the default 2 to other value.

 

Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.

 

Hope this helps !!!

0 Helpful
Customers Also Viewed These Support Documents