06-24-2022 07:34 AM - edited 06-24-2022 07:37 AM
Hi all,
i'm stuck understanding how the authentication timer and attempts work with 802.1X. I'm using catalyst switch 3850 (OS XE 16.5.1a). The interface config is the following
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access device-tracking attach-policy DeviceTrackingPolicy authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server mab dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 end
and the config of dot1x PAE is the following
PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 3 MaxReq = 2 TxPeriod = 7
As you can see from the reported figure, the total authentication attempts are 2 (with 3 attempts of re-authentication). Also the time period between an EAP failure and the next attempts is equal to 60 seconds.
Does anybody know hot to configure this 2 type of parameters?
Solved! Go to Solution.
06-28-2022 10:45 PM
Hi @Marco__89 ,
1st: the changes are:
interface GigabitEthernet1/0/46
switchport voice vlan 707
authentication event fail retry 3 action next-method
authentication timer restart 10
dot1x timeout quiet-period 18
dot1x timeout tx-period 1
spanning-tree portfast
2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.
3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.
4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."
Try to change the dot1x max-eap-req command from the default 2 to other value.
Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.
Hope this helps !!!
06-27-2022 01:11 PM
Hi @Marco__89 ,
please take a look at the following:
(config-if)# dot1x max-reauth-req 3
(config-if)# authentication event fail retry 2
(config-if)# dot1x timeout tx-period 7
(config-if)# dot1x timeout quiet-period 60 >> the default
in this example the SW sends the following Messages to ISE:
1x Authentication Request
3x Reauthentication Message (dot1x max-reauth-req command)
2x Retries (authentication event fail retry command)
So the Total Messages sent by the SW are: (1 + 3) * 2 = 8.
Note: the Quiet Period default value is 60 sec (the time interval that the device remains in a quiet state following a failed Authentication exchange)
Hope this helps !!!
06-28-2022 02:36 AM
Thanks Marcelo for the reply.
I changed a bit the config:
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access switchport voice vlan 707 device-tracking attach-policy DeviceTrackingPolicy authentication event fail retry 3 action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer restart 10 authentication timer inactivity server mab dot1x pae authenticator dot1x timeout quiet-period 18 dot1x timeout tx-period 1 dot1x max-reauth-req 3 spanning-tree portfast end
Here i reported the authentication process.
Until packet n. 1498, PC is trying to connect with its windows native 802.1x supplicant. ISE (and therefore the switch) send to it an access-reject (failure eap message). At this point the switch send:
After this 4 messages, the switch sends an EAP failure beacause he didn't receive any response from the PC. Note that the PC doesn't respond because (this is mine hypotheisy) its supplicant is in a timeout state and therefore it doesn't respond for a time interval period (i can not find its value neither from windows configuration nor from web forum). After 10 seconds (value of restart timer) it begins the process (sending 4 messages). After that, the switch try to use MAB and doing so it is able to authenticate the user.
In this case the quiet period timer (that i configured with 18 seconds) dosen't beeing used. Instead the restart timer is used.
Also i configured (as you sad) the number of attempts with
authentication event fail retry 3 action next-method
However, as you can see, the switch used 2 attempts to authenticate the PC. Trying also to change this value to 4,5,6 the behaviour is the same as reported in the figure.
Can you explain to me this 2 behavior? Thanks!
06-28-2022 10:45 PM
Hi @Marco__89 ,
1st: the changes are:
interface GigabitEthernet1/0/46
switchport voice vlan 707
authentication event fail retry 3 action next-method
authentication timer restart 10
dot1x timeout quiet-period 18
dot1x timeout tx-period 1
spanning-tree portfast
2nd: the switchport voice vlan 707 and spanning-tree portfast commands are not part of the discussion.
3rd:
You change the authentication event fail retry from the default 2 to 3.
You change the authentication timer restart from the default 60 to 10.
You change the dot1x timeout quiet-period from the default 60 to 18.
You change the dot1x timeout tx-period from 7 to 1.
4th: you said " ... the Switch sends an EAP failure because he didn't receive any response from the PC ..."
Try to change the dot1x max-eap-req command from the default 2 to other value.
Note: remember that the dot1x max-eap-req command set the maximum number of times the SW sends an EAP Request/Identity Frame (assuming that NO response is received) to the Client before restarting the Authentication Process.
Hope this helps !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide