06-10-2013 04:51 AM - edited 03-10-2019 08:31 PM
Hello,
I observe undesirable behavior of my Cisco 3560 switches, which keep authentication sessions for devices that are currently not connected to the network.
To be precise, I mean the sessions relating to the devices that haven't been successfully authenticated and as the result the switch is trying to re-authenticate it. The problem shows up when the device is no longer connected to the network, but switch is still keeping that authentication session (ineffectively trying to authenticate the device that is no longer connected).
For example - int fa0/37 - on that interface is connected 6 devices, while current authentication sessions are 36:
SW1#sh clock
16:54:10.793 CEST Fri Jun 7 2013
SW1#sh mac add int Fa0/37
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
82 0012.3fb9.5b3f STATIC Fa0/37
82 28d2.4408.0f31 DYNAMIC Fa0/37
82 28d2.4408.10d9 DYNAMIC Fa0/37
82 28d2.4408.1440 DYNAMIC Fa0/37
82 28d2.4408.39dc DYNAMIC Fa0/37
82 6cf0.4929.4aa8 DYNAMIC Fa0/37
Total Mac Addresses for this criterion: 6
SW1#sh auth sess | i 0/37
Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612
Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B
Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D
Fa0/37 0024.1d0b.bd9d dot1x DATA Running 0ACA022A000005867DC8BA06
Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728
Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254
Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD
Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9
Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3
Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560
Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95
Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007
Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B
Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2
Fa0/37 0021.ccd0.1487 N/A DATA Authz Failed 0ACA022A00000479175405FF
Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3
Fa0/37 28d2.4407.209d N/A DATA Authz Failed 0ACA022A0000045012089F38
Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771
Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D
Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84
Fa0/37 28d2.4406.28e2 N/A DATA Authz Failed 0ACA022A00000376D9E4E000
Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7
Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0
Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6
Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445
Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567
Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F
Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC
Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2
Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D
Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4
Fa0/37 000f.1fe4.6f9f N/A DATA Authz Failed 0ACA022A000000E39161ABC9
Fa0/37 001e.3736.9a6a N/A DATA Authz Failed 0ACA022A000004831C16033E
Fa0/37 0024.7eda.ab58 N/A DATA Authz Failed 0ACA022A0000030ED4955421
Fa0/37 28d2.4402.4bbf N/A DATA Authz Failed 0ACA022A0000005139D52E1E
Fa0/37 0018.8b0c.7882 N/A DATA Authz Failed 0ACA022A000004CC30DD0119
SW1#sh clock
16:54:21.891 CEST Fri Jun 7 2013
SW1#
Only the "clear authentication sess session-id …" executed for that "hanging" session causes its removal:
SW1#clear auth sess sess 0ACA022A000004CC30DD0119
SW1#clear auth sess sess 0ACA022A0000005139D52E1E
SW1#clear auth sess sess 0ACA022A0000030ED4955421
SW1#clear auth sess sess 0ACA022A000004831C16033E
SW1#clear auth sess sess 0ACA022A000000E39161ABC9
SW1#sh auth sess | i 0/37
Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612
Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B
Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D
Fa0/37 0024.1d0b.bd9d N/A DATA Authz Failed 0ACA022A000005867DC8BA06
Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728
Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254
Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD
Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9
Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3
Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560
Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95
Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007
Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B
Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2
Fa0/37 0021.ccd0.1487 dot1x DATA Running 0ACA022A00000479175405FF
Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3
Fa0/37 28d2.4407.209d dot1x DATA Running 0ACA022A0000045012089F38
Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771
Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D
Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84
Fa0/37 28d2.4406.28e2 dot1x DATA Running 0ACA022A00000376D9E4E000
Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7
Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0
Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6
Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445
Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567
Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F
Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC
Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2
Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D
Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4
SW1#sh clock
17:08:54.372 CEST Fri Jun 7 2013
SW1#
SW1#sh ver
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:10 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000
Could anyone tell me what is the reason of that switch behavior and what needs to be done to prevent that kind of situation?
I also use Identity Service Engine 1.1.1 and 802.1x authentication. "sh dot1x interface fa0/37 details" in attachment.
If you need anything, don’t hesitate to ask me, please.
I would sincerely appreciate your consideration of this matter.
Best regards!
06-15-2013 07:33 AM
The switch doesn't know to flush the session after the Client goes because the other switch you're plugging everything in to keeps the interface up... The switch never actually knows the Client has gone, just that it's not communicating any more.
There will be ("should be"!) an automated timer somewhere that flushes these idle sessions. I expect there'll be a specific bit of Dot1x config for this (the re-auth timer, perhaps?), but it could be as simple as the MAC Address-Table Aging-Time?
06-17-2013 03:30 AM
Hello Richard,
thank you so much for replying.
Actually all the switches are configured as following:
interface FastEthernet0/37
switchport access vlan 18
switchport mode access
switchport nonegotiate
switchport voice vlan 24
qos trust dscp
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
auto qos voip trust
dot1x pae authenticator
tx-queue 3
priority high
shape percent 33
spanning-tree portfast
service-policy output autoqos-voip-policy
Is there something wrong with the port config?
Looking forward to hearing from you.
Regards!
06-22-2013 01:49 PM
I've said it before, and I'll say it again
In an actual deployment, the last/default authorization rule should permit to do CWA or/and profiling, so that any unauthenticated MAB user should get a match on this rule, thus not restarting auth process.
Regarding the idle sessions, you cand use authetication timer inactivity comand.
Check http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a3.html#wp1060094
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide