Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2019
Views
5
Helpful
5
Replies

wired 802.1x fails after switch reload

Go to solution
andrewswanson
Level 7
Level 7

‎01-18-2017 03:03 AM - edited ‎03-11-2019 12:22 AM

Hello

I'm testing wired 802.1x with a WS-C3650-48PD 03.06.05E and ISE 2.1. Switch config uses "new" ibns 2.0. 802.1x is working fine and I'm testing it under different scenarios.

The scenario where I am having an issue is when

  • Windows 7 PC is authenticated successfully - appears under Show access-session
  • switch is reloaded
  • After switch reloads, MAB devices are successfully authenticated against ISE
  • 802.1x devices are not authenticated:
      • %DOT1X-5-FAIL messages apeear on console
      • packet capture for pc interface shows no eap packets
      • nothing for 802.1x authnetications appears in ISE logs

The only way to get 802.1x working after the reload is to bounce the port.

Port dotx info is:

PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Has anyone come across this issue?

Thanks
Andy

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7

‎01-18-2017 08:10 AM

I think I may have resolved this. I was missing the following aaa command from the switch configuration:

aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>

From cisco documentation, this command generates a logoff for 802.1x authenticated clients when a switch reloads.

With this command in place

  • the windows 7 pc is 802.1x authenticated successfully
  • switch reloads
  • when switch boots up, the windows 7 pc authenticates successfully

Cheers
Andy

View solution in original post

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-18-2017 11:05 AM

You are absolutely correct. The "accounting" commands are a must when deploying dot1x:

802.1x Accounting

The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports:
* User successfully authenticates.
* User logs off.
* Link-down occurs.
* Re-authentication successfully occurs.
* Re-authentication fails.

Good job on solving your own issue! Also, thank you for taking the time to come back and update the thread with a solution!

Now if your issue is resolved, you should mark the thread as "answered" :)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andrewswanson
Level 7
Level 7

‎01-18-2017 08:10 AM

I think I may have resolved this. I was missing the following aaa command from the switch configuration:

aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>

From cisco documentation, this command generates a logoff for 802.1x authenticated clients when a switch reloads.

With this command in place

  • the windows 7 pc is 802.1x authenticated successfully
  • switch reloads
  • when switch boots up, the windows 7 pc authenticates successfully

Cheers
Andy

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-18-2017 11:05 AM

You are absolutely correct. The "accounting" commands are a must when deploying dot1x:

802.1x Accounting

The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports:
* User successfully authenticates.
* User logs off.
* Link-down occurs.
* Re-authentication successfully occurs.
* Re-authentication fails.

Good job on solving your own issue! Also, thank you for taking the time to come back and update the thread with a solution!

Now if your issue is resolved, you should mark the thread as "answered" :)

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to nspasov

‎01-18-2017 11:30 AM

Thanks Neno

prior to enabling the command:

aaa accounting system default start-stop group <ISE-RADIUS-GROUP-NAME>


I already had the following aaa accounting commands:

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group <ISE-RADIUS-GROUP-NAME>

These worked fine for client accounting but I ran into the issue in the original post when the switch reloaded. Thanks for the reply - I'll mark thread as resolved.

Cheers
Andy

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to andrewswanson

‎01-18-2017 03:15 PM

Good deal! I am guessing you also have "aaa accounting dot1x...." ?

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to nspasov

‎01-19-2017 06:19 AM

Yes I did have "aaa accounting dot1x.." but it got converted to "aaa accounting identity.." when I moved to the ibns 2.0 "new style"

Cheers

Andy

0 Helpful
Customers Also Viewed These Support Documents