Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3174
Views
0
Helpful
3
Replies

"dot1x critical eapol" block setting

Go to solution
andrewswanson
Level 7
Level 7

‎09-25-2019 02:57 AM - edited ‎02-21-2020 11:10 AM

Hi

 

I'm looking at upgrading a number of WS-C3650-48PD stacks from 03.07.05 to 16.6.6. I'm avoiding Fuji for now in case of any smart licencing issues (many of these switches were purchased as lanbase with ipbase rtus).

 

I've been doing testing with 16.6.6 and the stack ibns2 radius setup. All works well until I reload the switch and run into the bug CSCvc86691 "When 'dot1x critical eapol' is configured, switch sends EAP failure instead of Success".

 

As the switch comes online and brings up the interfaces, radius server is briefly unavailable and the switch responds with "failed authentication" to the connected windows 802.1x clients - the Windows clients will then not attempt eap again for 20 minutes.

 

It appears that "dot1x critical eapol" on 16.6.6 has an additional feature: "dot1x critical eapol block" - this will "Block all EAPoL transaction on Critical Authentication" as opposed to replying with "passed authentication".

 

The "dot1x critical eapol block" resolves my issue when the switch reloads and seems to have no adverse impact on the 802.1x clients (they authenticate as soon as radius is alive). Is anyone using this "block" feature in production? If so, have there been any issues?

 

Thanks
Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to andrewswanson

‎09-25-2019 05:54 AM

Since you are using IBNS 2.0, your device sensor may not work on 16.6.6. There was a bug fixed in 16.9.4 and 16.12.1 related to it.

I would confirm device sensor functionality, but if you are using SNMP Query then you will "work around"it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrewswanson
Level 7
Level 7

‎09-25-2019 03:59 AM

My apologies - 16.6.6 doesn't seem to suffer from the bug CSCvc86691 after all (i've been testing a number of different ios on the switch which led to confusion).

 

"dot1x critical eapol" works as expected. 

 

Cheers

Andy

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to andrewswanson

‎09-25-2019 05:54 AM

Since you are using IBNS 2.0, your device sensor may not work on 16.6.6. There was a bug fixed in 16.9.4 and 16.12.1 related to it.

I would confirm device sensor functionality, but if you are using SNMP Query then you will "work around"it.
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Damien Miller

‎09-25-2019 06:05 AM

Thanks for that - I'll look into device-sensor (snmp-query is used so hopefully that's covered). Hopefully get the bulk of things working - confirmed that vlan-id is sent in access-session authentication requests (used by ISE for profiling), Radius periodic accounting not working but will enable periodic re-authentication to fix that.

Cheers

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents