Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
15
Helpful
5
Replies

VLAN Toggle issue during 802.1x authentication.

network_geek1979
Level 1
Level 1

‎01-09-2023 03:53 AM

Folks,
We have seen some challenges with 802.1x authentications. The challenge is that authentications work but then during normal operation the 802.1x authentication fails for some reason and the PC goes in the Guest VLAN(or the default VLAN).

We are clueless on why this behavior is being seen. This is seen on Windows/MAC books and even at times on machines which do not have a docking stations.

Our switch port configuration is pretty straightforward. Here is it:

interface GigabitEthernet4/4
 switchport access vlan 3
 switchport mode access
 switchport voice vlan 8
 switchport port-security maximum 8
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 ip device tracking probe interval 30
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer inactivity 300
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 spanning-tree guard root
end

VLAN 3 is the production VLAN which the end user must get if the correct user certificate is present.
It works with the correct certificate being presented, but then for whatever reasons during the day toggle between Production VLAN and Guest VLAN keeps happening.

We tried changing the "dot1x timeout tx-period 5" to "dot1x timeout tx-period 10" but this does not help as well.

Any suggestions?



Regards,
N!!

 

5 Replies 5

MHM Cisco World
VIP
VIP

‎01-09-2023 03:59 AM

are you sure that the Radius/Tacacs/ISE server is alive when this happened ?

network_geek1979
Level 1
Level 1
In response to MHM Cisco World

‎01-10-2023 01:15 AM

Yes, we are 100% sure that the radius server is active.

0 Helpful

Rob Ingram
VIP
VIP

‎01-09-2023 04:01 AM

@network_geek1979 port security and dot1x configured on the same interface is not supported nor needed, please remove and retest. Can you provide the output of "show run aaa"

network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎01-10-2023 03:41 AM - edited ‎01-10-2023 03:44 AM

Hi, I have it pasted below. (IP addresses are just changed)

*******************************************************

switch#sh run aaa
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ none
aaa authorization network default group radius
aaa authorization configuration default group tacacs+
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands
aaa authorization console
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin privilege 15 password 7 009988776655
!
!
!
!
aaa server radius dynamic-author
  client 1.1.1.1 server-key 7 AOAOAOAOAOAO
  client 2.2.2.2 server-key 7 BOBOBOBOBOBO
  client 3.3.3.3 server-key 7 COCOCOCOCOCO
  client 4.4.4.4 server-key 7 DODODODODODO
  client 5.5.5.5 server-key 7 EOEOEOEOEOEO
!
!
radius server server1.mydomain.com
  address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
  key 7 11223344ABCDE445566
!
radius server server2.mydomain.com
  address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
  key 7 11223344ABCDE445566

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server deadtime 10
tacacs server tac01
  address ipv4 8.8.1.1
  key 7 1122334455667788
tacacs server tac02
  address ipv4 9.8.1.1
  key 7 1122334455667788
tacacs-server directed-request
!
aaa group server radius NACGROUP
  server name server1.mydomain.com
  server name server2.mydomain.com
!
!
!
aaa new-model
aaa session-id common
!
!

switch#

0 Helpful

MHM Cisco World
VIP
VIP

‎01-11-2023 11:20 AM

Hi Friend sorry for late reply, 
I build my own model for 802.1x I start this model one half year ago and until now I dont finish it, hope finish it soon. 
anyway 
the first auth assign the client right VLAN, 
the second auth assing wrong VLAN, but why ?
I have theory but I want from you try it in one port and if it success then use it in other port. 
my theory is that you config inactivity time 300, this make SW not authz, now after the client active again the SW start new auth process, the client exchange the right secret and SW forward it to radius server, 
but here the issue,  if the SW when it not authz the port NOT send message to radius to make it know that client is not available then the radius still have client in db. 
what we need 
we need change inactivity to be reauth and make server assign the reauth timeout. 

authentication timer reauthenticate {seconds | server}

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents