Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
2
Helpful
6
Replies

Multiple VMs and IEEE 802.1X multi-auth host-mode

JUANNN
Spotlight
Spotlight

‎06-06-2025 10:41 PM - edited ‎06-07-2025 12:57 AM

Hello,

I am doing a lab with a Windows host that runs VMWare WorkStation and has 3 Linux hosts as VMs. I have configured the switchport on the Cisco device that I am using (C112X) as the following:

JUANNN_2-1749274900617.png

Note that MAB is enabled for 1 of the VMs that is not 802.1x capable. Then I configured 802.1x on the other 2 VMs and on the Windows host. And authentication was prompted to all 3 hosts as expected and succeded.

However, for some reason the Cisco device kept reauthenticating the hosts very frequently...

JUANNN_1-1749274536511.png

I do not understand this behaviour... I did not even set authentication periodic so this does not make sense to me. And the problem is that every time this happens, the Windows PC prompts me to sign in again in order to give network access to all hosts. 

I am not using any attributes on the FREERADIUS SERVER, which by the way is hosted on an external device (not on the Windows PC).

Anyone knows about this behaviour? Are my configurations of the port wrong?

Thanks,

Juan

Labels:
6 Replies 6

Jens Albrecht
Level 4
Level 4

‎06-07-2025 01:53 AM

Hello @JUANNN,

the config on your ports looks good and there is nothing obvious that could explain this behavior.

Have you done a "show run all" to check whether Cisco has changed any defaults?

It indeed looks as if "authentication periodic" is active for some reason. What software version are you running?

As a workaround you could try to use the command "authentication timer reauthenticate <seconds>".
The maximum value used to be 65535 seconds but since 17.5.1 you can increase this timer up to 1073741823 seconds if you like.

HTH!

0 Helpful

JUANNN
Spotlight
Spotlight
In response to Jens Albrecht

‎06-07-2025 03:14 AM

Hello @Jens Albrecht 

Thanks for the reply.  I am using Cisco IOS XE Software, Version 17.12.05a, the latest recommended version for ISR 1000. I tried the authentication timer reauthenticate command with authentication periodic set up to 7200 seconds, and still the same issue. This is the output of the show run all command:

JUANNN_0-1749289418104.png

I have been trying to find some answers, but as far as my knowledge goes, I do not see anything...

JUANNN_1-1749290395333.png

All the hosts are using different credentials, ruling out a Simultaneous Use attribute issue....

 

 

0 Helpful

Jens Albrecht
Level 4
Level 4
In response to JUANNN

‎06-07-2025 05:57 AM

Hello @JUANNN,

have you done a debug of the authentication? On the one hand, there is a chance that the switch shows a reason for the reauthentication and secondly this should confirm that the freeradius server does indeed not send any additional attributes.

Regards, Jens

0 Helpful

JUANNN
Spotlight
Spotlight
In response to Jens Albrecht

‎06-07-2025 10:41 AM

Hello @Jens Albrecht 

I run Freeradius on debug mode and I also tried on single-host mode (just for the Windows Client) and on multi-host mode and I do not have the problem. Is only on multi-auth

Do you think it can be an issue with the Windows client? The thing with the Linux hosts that run as VMs is that this continous "reauthentication" is invisible for them, but it prompts me for their reauthentication on the Windows client. This is, I get a Sign in notification 3 times, one for the Windows client itself and the rest for the 2 VMs that support 802.1x, but all 3 notifications on the Windows client. Do you know if this is normal? And the problem is that this Sign in are continuous....

I wonder if it can be an issue with my design then... maybe using ESXi does not happen...but it does not make sense for me because the thing with VMWare Workstation Pro is that the VMs are bridged to the Windows Network Adapater. 

0 Helpful

Jens Albrecht
Level 4
Level 4

‎06-07-2025 12:40 PM

Hello @JUANNN,

I use a very similar setup from time to time without such problems so it could indeed be an issue with the Windows client.

The major difference is that I never authenticate my Windows machine, only the VMs that run on VMware Workstation Pro in bridged mode as well. So I always get the notifications on the VM as the Windows machine simply does not run 802.1X at all which also means that I always use multi-auth. No problems with this setup so far.

Regards, Jens

JUANNN
Spotlight
Spotlight
In response to Jens Albrecht

‎06-07-2025 01:11 PM - edited ‎06-07-2025 01:21 PM

Hello @Jens Albrecht 

Thanks for your responses. I have tried the setup you suggested, and it works as a workaround in mutli-auth mode. However, is funny because the Cisco device keeps showing the reautentication messages for the VMs, but since I put the credentials on the /etc/netplan/ensxx file for 802.1X PEAP then I don't get any login messages on the Linux hosts and, even though the issue is still there, when I am working with the VMs is "invisible". On the Windows client, even if I save the credentials it keeps prompting the login.

But what really worries me is that if I add more VMs it can get to a point when the Cisco device and the AAA server start getting overloaded. 

Now, I have seen that the reauthentication occurs every 65 seconds:

JUANNN_1-1749326017615.png

So in your setup, do you use MAB for the Windows client? Because from my understanding the switchport in multi-auth mode will have to authenticate it as well. Or a Guest VLAN?

I will have to keep troubleshooting this, but thanks for your interest and help!

0 Helpful
Customers Also Viewed These Support Documents