Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6215
Views
5
Helpful
2
Replies

Computer on dot1x enabled port generates fail in switch syslog when it goes to sleep (3CPL)

dal
Level 3
Level 3

‎01-22-2020 06:43 AM

Hi.

As the title say, I have enabled 802.1x (and MAB) via 3CPL and policies on a switchport, and it works fine.

Until the computer falls asleep.

Then the switchport starts to generate error logs like this:

Jan 22 14:16:34.492: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (13e2.1e14.a20a) on Interface GigabitEthernet1/0/13 AuditSessionID FA64320A00015AFCCD99EA23. Failure reason: Authc fail. Authc failure reason: Cred Fail.

every 60 seconds.

I have found that this happens when the NIC on the computer has enabled the "Allow the computer to turn off this device to save power" option... which is enable by default on all Windows computers.

And it needs to stay that way to enable WoL.

 

So how can I get rid of the error messages in the switch?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

‎01-22-2020 10:01 AM

A logging discriminator would be what I suggest. In my opinion these logs don't provide any value on the switch. When we troubleshoot we look at ISE, or "show auth sessions" to gather the information anyways.

You can do something such as this to stop logging it to the buffer.

logging discriminator AUTHFILT facility drops DOT1X
logging discriminator AUTHFILT facility drops SESSION_MGR
logging buffered discriminator AUTHFILT

andrewswanson
Level 7
Level 7

‎01-24-2020 05:40 AM

Hi

 

Yes, I see the same problem with WoL enabled devices. I increased the authentication restart for 802.1x fail/no response to 65535 seconds to decrease the amount of messages - see below.

 

event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 3 retry-time 30 priority 10
..
event authentication-failure match-first
..
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 65535
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 65535
..
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 3 retry-time 30 priority 10

 

when I was looking at a powershell script to whitelist pxe imaging clients (through the ISE API) I considered using the same script to whitelist WoL PC's (i.e run the script on pc shutdown to whitelist the PC mac and run the script again on pc boot to remove the PC from the whitelist). Seemed way too complicated so I dropped that idea. Script used for whitelisting is available here:

 

https://github.com/AdamGrossTX/PowershellScripts/tree/master/CiscoISE/External%20RESTful%20Service%20(ERS)%20API

 

hth
Andy

0 Helpful
Customers Also Viewed These Support Documents