Re: Switchport not falls into err-disable after 802.1x fail

TUWATCHER · ‎07-24-2018

Good Day!

I'm using WS-C2960X-48TS-L IOS 15.2(4)

I have 802.1x on my switchports up and running. Some device are successfully pass authentication, some are not.

When they fail 802.1x, switchport not falls into err-disable state.

Jul 24 11:58:29.028: %AUTHMGR-5-START: Starting 'dot1x' for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %DOT1X-5-FAIL: Authentication failed for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 0019.99fa.3ebd on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:32.111: %AUTHMGR-5-START: Starting 'mab' for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.186: %MAB-5-FAIL: Authentication failed for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.190: %AUTHMGR-7-STOPPING: Stopping 'mab' for client 0019.99fa.3ebd on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB
Jul 24 12:00:38.190: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0019.99fa.3ebd) on Interface Gi2/0/8 AuditSessionID 0A5F2FF800000216588946FB

Interface Config:

description DOT1X
switchport access vlan 101
switchport mode access
authentication event fail action next-method
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 3
dot1x timeout tx-period 7
dot1x timeout supp-timeout 3
dot1x max-req 10
dot1x max-reauth-req 10

Thank You in advance!

ldanny · ‎07-24-2018

Port is not intended to end up in err-disable, this behavior is expected.

You might be referring "switchport port-security" command which is not recommended when enabling dot1x.

Danny

TUWATCHER · ‎07-24-2018

Good Day, Danny!

Thank You for your answer!

First of all switchport port-sec is not an option. And on another switch (WS-C2960G-48TC-L IOS 12.2(5)) all failed ports falls to err-disable, maybe I'm missing something? Also tried authentication violation shutdown but it didn't help.

yalbikaw · ‎07-24-2018

as i can see from your configuration,

authentication event fail action next-method

it will keep looping if there was no reject response from the AAA server, since you dont have local web auth correct.

try to quarantine the port

use the below command

authentication event fail authorize vlan #

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html

this link is very useful focus at the part when you dont have local-web auth.

for error disable its something for switchport security, in dot1x the state machine will say the port is unauthorized state.

i hope this is helpful for you :)

TUWATCHER · ‎07-25-2018

Good Day!

Thanks for your answer!

1. I removed authentication event fail action next-method and it didn't change anyting

2. Command authentication event fail action authorize vlan # is not working because host not failing authorization but even not response to EAPOL I think.

3. Command authentication event no-response action authorize vlan # actually did help but it's inconvenient to monitor. I mean it's more easy way if you are use show int status err to see locked ports.

So there is no way to make ports to fall to err-disable states?

for error disable its something for switchport security, in dot1x the state machine will say the port is unauthorized state.

For dot1x there is err-disable state: Gi1/0/39 DOT1X err-disabled security-violation

ldanny · ‎07-25-2018

You could customize a "Quarantine" Vlan and just search base on that vlan , this way you know those hosts have failed.

ldanny · ‎07-25-2018

Just decide in a "Quarantine" vlan and base your search on that .

So for example you create a failed vlan of 666

Now base your search on that vlan and any ports in that vlan our your failed endpoints

yalbikaw · ‎07-25-2018

oh understand your point, now error disable in this situation can happen for example if you have single host but there was another mac address trying to connect.

the way the current configuration is flex auth, mab and dot1x while next method is configured they will keep looping.

remember the vlan must be created on the switch in order to fail into it.

let me know how it goes and please let us know the example you shared with err-disable has the same configuration or not

TUWATCHER · ‎07-26-2018

Good Day!

Thanks for your answers.

Configuration for port that falls into err-disable:

switchport access vlan 101
switchport mode access
authentication event no-response action authorize vlan 650
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout server-timeout 40
dot1x timeout tx-period 1
dot1x timeout supp-timeout 5
dot1x max-req 7
dot1x max-reauth-req 7
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable

no-response vlan is working well. If there are no other ideas how to make no-responsive devices to fall to err-disable, I think I'll stick with that. Thank You

yalbikaw · ‎08-03-2018

as far i know the violation happened on dot1x when there is for example more than one mac address connect then it fails in error-disable

check security violation

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swtrafc.html#41018

now remember you didn't configure host mode, which by default is single and allow only one mac address, not sure what is happening on the switch which you shared its configuration but normally if authentication failed is not considered security violation the port will be unauthorized status.