Solved: Re: Wired 802.1x Supplicant log out

muhammadtalha · ‎01-18-2024

Hello All,

I have an issue after deploying wired 802.1x. The cisco ISE is integrated with windows AD, and the switch integrated with ISE as a radius server. The endpoint users logs in to their windows PC using their domain account and they successfully get network connectivity. Everything works fine, but when the user logs out this is when the issue starts. For some reason, the switch keeps logging DOT-1X-FAIL logs every 1 minute.

Is there any way to fix it? I think that for some reason the swtich port is trying to reauthenticate with the endpoint?

Switch port config:

switchport access vlanx
switchport mode access
switchport voice vlan x
authentication port-control auto
authentication periodic
dot1x pae authenticator
spanning-tree portfast
end

Dot1x Info for GigabitEthernet3/0/23
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

muhammadtalha · ‎01-18-2024

Also one more thing, the authentication on the computer was user based, but still the endpoint was sending requests with the endpoint name even after the user logs out.

View solution in original post

Rob Ingram · ‎01-18-2024

@muhammadtalha once the user has logged off is it the computer itself attempting to authenticate (if the supplicant is configured for both machine and user authentication)? Check the ISE logs to determine the username being sent.

Do you ISE rules to permit the computer authentication?

Is that all your switchport configuration? there are a lot of commands missing from a standard config - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

muhammadtalha · ‎01-18-2024

I read the endpoint considerations, the commands are missing from my end because I wanted default timers to be applied and the default configs are there like reauth-attemps , TX timeout etc.Dot1x Info for GigabitEthernet3/0/23
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Unfortunately, I was not able to find anything related to this issue.

Rob Ingram · ‎01-18-2024

@muhammadtalha like both myself and @Aref Alsouqi suggested it sounds like the computer supplicant is configured to perform both machine and user authentication. So when the user logoffs the machine will be authenticated.

Your ISE live logs will tell you want identity is being sent for authentication and provide an indication why it is failing, you can then create an Authorisation to permit the traffic.

You can also check the Windows supplicant configuration to confirm what is configured. Example

You can also enable radius/aaa debugs on the switch to see what is going on.

Aref Alsouqi · ‎01-18-2024

@muhammadtalha wrote:

Everything works fine, but when the user logs out this is when the issue starts. For some reason, the switch keeps logging DOT-1X-FAIL logs every 1 minute.

Do you see those logs when the endpoint is still connected but the user is logged off? or are you seeing them when the endpoint is disconnected from the network? if it is the latter you shouldn't see any log generated any longer, and if this is not the case it could potentially be a bug on the switch.

However, if you see those logs only after the user is logged off but the endpoint is still connected physically to the network, then I think that would be caused because your supplicant is configured with machine or user authentication, and it is configured to authenticate via EAP-PEAP (username and password). If this is the case, then once the user logs off, the machine wouldn't be able to authenticate with a username and password, and I think this is why you see those logs on the switch. As @Rob Ingram said, probably best place to check would be ISE live logs, you can filter your search with the MAC addresses.

I think to overcome this issue you can move from EAP-PEAP to EAP-TLS authentication, this requires both machines and users to have their own certificates. In this case when the user is logged in they will use their certificate for the authentication, and when they log off, the machine certificate will be used. Alternatively, you can enable MAB on the switch port and make the machine authenticate via MAB.

As a best practice, in both cases the machines shouldn't have full access to your network, so you might need to configure a dACL allowing only the ports and protocols that should be allowed to the machines denying anything else, in other words you should treat the machines in a similar way as when you deploy ISE in low-impact mode.

muhammadtalha · ‎01-18-2024

Thanks for your response.

I just checked the ISE logs and I can see that when the user logs out and the endpoint is connected it hits deny policy because I have configured access to only domain users.

The identity is logs is host/pcname.domain. So, when I added domain computers to the policy along with domain users, and when the user logs out of the endpoint, then still the endpoint is connected to the network because I have added domain computers in the policy and I can see in the logs identity host/pcname.domain allowed.

Only if any non domain computer connected to my network, he/she shall not get any access.

But still I wanted that when the user logouts, the pc should be cut off from the network. But, I do not understand that why the pc sends request with endpoint name!

Hope you can help here!

muhammadtalha · ‎01-18-2024

Also one more thing, the authentication on the computer was user based, but still the endpoint was sending requests with the endpoint name even after the user logs out.

Rob Ingram · ‎01-18-2024

@muhammadtalha its because your windows supplicant is configured to user machine and user authentication. When the user logs out the machine will be authenticated. Reconfigure the supplicant to use user authentication only.

Most organisations do not do user only authentication, they authenticate both the user and computer. With machine authentication configured the device can still have network access to process Windows Group Policy updates at startup and receive Windows Updates etc.

MHM Cisco World · ‎01-18-2024

add this in one port and check
dot1x max-reauth-req

this make SW send reauth for specific time after that it stop
MHM

muhammadtalha · ‎01-18-2024

By default the max-reauth-req is there which has a value of 2 on the ports.

I already added the command but it can not be seen because 2 is a default value and I can see it when I do show dot1x interface.

I will be able to see the command in the configuration if I keep the value any other number except 2.

MHM Cisco World · ‎01-18-2024

- Max-reauth-req make it 3 times

- specify reauth timeout' make it local or by server (send via ISE)

MHM

Aref Alsouqi · ‎01-18-2024

For the machines that are not joined to the domain, you can use MAB with limited accesses. I wouldn't recommend denying all the traffic from the machines because they would need to check the OS updates, software updates, renew their IP, and most likely be accessed by your support desk team.