Wired 802.1x re-authentication passes but no connectivity after 1 hour

jimmieharden · ‎03-04-2005

I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.

1st observation:

The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.

2nd observation:

I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.

Any ideas?

jafrazie · ‎03-04-2005

Let me try to transcribe this to confirm what you're saying:

1) 802.1x works fine.

2) You have re-auth turned on.

3) You have re-auth turned on for it's default timer (which is one hour).

4) After the first hour, when a re-auth is attempted, if fails or times out (for some reason), even with no change in credential on the supplicant (like cert revocation, etc.).

Is this right?

jimmieharden · ‎03-07-2005

I am using PEAP.

1) - yes, 2) - yes, 3) - yes, 4) - yes kind of. The ACS logs, the sniffer trace, the switch port status is authorized, the NIC properties shows successful authentication and even the correct IP address, but the continuous pings running on the PC stops getting replies.

I reduced the timers to 120 seconds with re-authentication enable on the port. The re-authentication fails but after 2 or 3 attempts it passes. It takes about 1.5 minutes to pass. This is on SP2.

jafrazie · ‎03-08-2005

Would recommend a TAC Case for a close look at this.

hwon · ‎03-29-2005

Jimmie,

Have you found any resolution on the 2nd observation with remote desktop? I am running 6506 CatOS 8.4(2), IAS, with same registry settings as yours and experiencing same thing after user connects via remote desktop.

jimmieharden · ‎03-29-2005

No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.

The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.

At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

hwon · ‎03-29-2005

We modified registry to SupplicantMode=3 to force user authentication to take place following machine authentication. With the defult setting of SupplicantMode=2, when machine authentication is successful, any user logged in had network access until re-authentication kicked in. Just tried the setup with Cat 3550, 12.1(22)EA3 with same result.

I am not familiar with machine access restriction feature of ACS, is this same as network access restriction? If you could point me to a document in regards to that feature I would really appreciate it. Thanks.

jimmieharden · ‎03-30-2005

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns75/c685/ccmigration_09186a0080259020.pdf

http://www.cisco.com/application/pdf/en/us/guest/products/ps2086/c1650/ccmigration_09186a00800887d5.pdf

samchang · ‎04-21-2005

Hi Jimmie,

May I ask a question..

because we implemented wired 802.1X in my customer site,just as your lab test.but we setup 802.1x on

cat 2950,our client user is XP SP2 & win2K SP4,we

met some trouble when run machine plus user authetication,we modify the registry on clinet

user,some user pass machine authentication but fail

on user authentication,expecially on win2k,I am not

sure if your experience such problem ?

TKS!

Sam

jafrazie · ‎04-28-2005

Disable re-auth to insure this is what's causing your issue. Do you need to re-auth? Regardless, it shouldn't break anyway, so just curious.

Also, what is the error message you're getting for the failed user login attempt(s)?

jimmieharden · ‎04-28-2005

The re-auth problem at 1 hour has been identified. I had port security enabled with the max age timer set to 60 minutes. The default is 0 minutes or disabled. No problems if the max age timer is the default. Matt is researching if this is an existing bug.

chlittle · ‎05-13-2005

The bug has been created CSCeh86502

samchang · ‎05-15-2005

Just my experience ..

ACS 3.2 is not stable to implement both machine &user

authentication,my suggestion is upgrade to ACS 3.3

ongeti · ‎08-02-2005

Hi Jimmie,

We are experiencing the same problem using Remote Desktop with 802.1x. Any findings on your 2nd observation?

jimmie25h69 · ‎08-04-2005

I hardcoded Machine Auth ONLY to ensure not breaking RD until fixed.

From MS FAQ:

Q.Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication?

A.Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft is investigating this issue.

http://www.microsoft.com/windowsserver2003/techinfo/overview/wififaq.mspx