Delay the first dot1x authentication message after a port comes up

Mika J · ‎11-30-2014

Cisco ISE: 1.2

Switch IOS: 15.0.2.EX4

Hello,

I have configured the APs to authenticate with 802.1X via the switch.

When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.

I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.

I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?

When I use debug commands I see

%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
%AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9

NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)

Thank you for all answers

Marvin Rhoads · ‎11-30-2014

In interface configuration mode, the command "dot1x timeout tx-period <seconds>" controls that behavior. The default is 30 seconds and dot1x should wait for 3x the timeout period to fail authentication for that method. You can adjust the timer higher to account for the AP bootup time. Reference.

Normally you would profile the device and allow it to be authenticated via MAB if it is determined to be an AP.

Mika J · ‎11-30-2014

Hello,

Thank you very much for your answer.

Why do you say that AP should be authenticated via MAB and profiling instead of dot1x. Why is it better ?

Using dot1x seems to work fine for me except what I talked about and also that ISE thinks my AP is a router.

Regards

Marvin Rhoads · ‎11-30-2014

You're welcome.

The profiling method for Access Points is right out of the Cisco Validated Design for Campus 802.1x Authentication. See the instructions in the linked guide starting on page 95.

On page 99, the guide states " you need to modify the MAB policy to reject endpoints that fail authentication. This change works with the authorization policies, which permit Cisco IP Phones and access points as the only devices authorized on the network without performing 802.1X authentication"

How do your APs authenticate via 802.1x as they have no supplicant on them and no way for a user to interact with the RADIUS server?

Mika J · ‎12-01-2014

Hello,

Thank you for your reply. That document is very interesting.

I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.

However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.

- You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)

- A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.

That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.

It's possible to do this with the Cisco APs

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html

I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)

So in my humble opinion, the mab/profiling solution is good but not optimal.