Solved: 802.1x Cisco ISE & Cathalyst

Marco Serato · ‎05-30-2013

Hi

I’ve got a curious problem with the authentication of not correct authenticated 802.1x-clients. In the ISE I have select that every failed authentication should be rejected. But the authentication process starts again and again and does not stop. Here the log from the switch:

…

May 30 14:10:27.608 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:27.893 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:27.893 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface 0/1

May 30 14:10:28.270 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:28.404 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:28.404 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface

May 30 14:10:29.118 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.361 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.361 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.420 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.839 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:29.839 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.745 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.846 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:30.846 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.794 METDST: %AUTHMGR-5-START: Starting 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.928 METDST: %DOT1X-5-FAIL: Authentication failed for client (0c0c.0c0c.0c01) on Interface Fa0/1

May 30 14:10:31.928 METDST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0c0c.0c0c.0c01) on Interface Fa0/1

…

I configured that only one authentication is allowed. If the authentication failed, the port should be blocked. But that does not happen.

A successful authenticated client always triggers two authentications. That is also curious.

Has anybody an idea to solve this behavior?

Many thanks Marco

Jatin Katyal · ‎05-30-2013

You need to configure auth-fail vlan.

authentication event fail action authorize vlan vlan-id

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-auth-fail-vlan.html

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Richard Atkin · ‎05-30-2013

Yep, MacSec is the answer...

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

View solution in original post

Jatin Katyal · ‎05-30-2013

Could you please paste the switch port configuration where the client is connected?

What is the status of CoA on ISE?

Jatin Katyal

- Do rate helpful posts -

~Jatin

Richard Atkin · ‎05-30-2013

What you want is to adjust the Dot1x quiet-period, this determins how long the Client must wait before it can try to authenticate again after a failure.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1036194

Marco Serato · ‎05-30-2013

Here the port config:

interface FastEthernet0/1
switchport mode access
switchport voice vlan 3
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root

@ RikJonAtk: dot1x timeout quit-period is 60 sec standard. I do not want that the client can authenticate again.

@ Jatin Katyal: Where can I find the status of CoA?

Richard Atkin · ‎05-30-2013

I'm not sure you can actually do that Marco? Closest I can think of is to drop them in to a Dot1x Failed VLAN which you setup as a blackhole...

Jatin Katyal · ‎05-30-2013

You need to configure auth-fail vlan.

authentication event fail action authorize vlan vlan-id

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-auth-fail-vlan.html

Jatin Katyal
- Do rate helpful posts -

~Jatin

Marco Serato · ‎05-30-2013

Yes that ist he answer. Thanks you both!

I just tested a vulnerability. A simple switch was switched before an access port. The port has been authenticated by Client1. Client2 was also connected to the network but has no credentials. The clients having the same MAC address.
Is there a solution for this?

Richard Atkin · ‎05-30-2013

Yep, MacSec is the answer...

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

Marco Serato · ‎05-30-2013

Thanks RikJonAtk!

Marco

Richard Atkin · ‎05-30-2013

Glad to help!

Octavian Szolga · ‎06-21-2013

Usually, if the client has no dot1x support, it uses mab to get access to network by the means of profiling or CWA.

If you configure the default authorization rule to be CWA & Profiling you won't see any restarted authentications.

You will see this happen again only if client has dot1x support and dot1x has priority over mab.