Re: Dot1x authentication failed logs even though MAB is used

katerina.dardoufa · ‎11-15-2023

Hi all,

I have a situation where I have configured MAB for a specific endpoint. Even though the device authenticates with MAB, we also get the following logs on our switch.

027552: Nov 15 10:12:15.245: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (0001.02e0.9eb1) with reason (No Response from Client) on Interface Gi3/0/43 AuditSessionID 1E021E0A000001DDD1EBC3E4

This happens every one minute, thus filling up the logs. The account session timeout is the 48hours. (Acct update timeout: 172800s (local), Remaining: 172760s).

We have rebooted the end device, we have cleared the session from ISE, we have flapped the switch interface, with no luck. What might be the cause of the logs? ISE reporting shows that the device is authenticated via MAB.I also want to state that this is an SDA implementation.

Thank you in advance,

Katerina

andy!doesnt!like!uucp · ‎11-15-2023

with that logs you definitely have list of auth methods containing dot1x. you can see it with "show authen sess int <INTF> d" in the bottom

balaji.bandi · ‎11-15-2023

we need more information as below :

1. what ISE Version

2. what Swtich model and IOS code running ?

3. how is your port configuration on the device connected ?

4. what is the end device (make and model ?)

Some Switches have bugs reported (so based on the model the bug may be effected to switch)

post - show authentication sessions (check is the authentication success ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

katerina.dardoufa · ‎11-15-2023

Hello BB,

1. ISE Version: 3.2.0.542

2. Catalyst: 9300 17.9.4

3. Port configuration - downloaded via DNAC

interface GigabitEthernet3/0/43
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor DNAC-FNF input
ip flow monitor DNAC-FNF output
dot1x timeout tx-period 7
dot1x max-reauth-req 3
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
spanning-tree bpduguard enable
end

4. Workstation is Windows-XP (I have asked the system engineers to have a look and see if the PC is ok).

What interests me is that I have configured MAB for the device, it actually gets authenticated via MAB and works, but it still generates the logs. I could statically configure the port via DNAC and have the device not be authenticated, but I would like to investigate and if I do not find another solution, then revert to static configuration.

Thanks in advance,

Katerina

andy!doesnt!like!uucp · ‎11-16-2023

with "source template DefaultWiredDot1xClosedAuth" command on interface u for sure use both dot1x & mab methods in sequence dot1 & then mab with dot1x restarting every 60 seconds bc of policy dictates so by default. What is your output "sho access-sess int <INTF> d" when device gets authenticated?

katerina.dardoufa · ‎11-16-2023

The device gets authenticated via MAB, as can be seen below:

EN-MK-F0-CR-A8-1#sh access-session interface gi3/0/43 details
Interface: GigabitEthernet3/0/43
IIF-ID: 0x108C2DFB
MAC Address: 0001.02e0.9eb1
IPv6 Address: Unknown
IPv4 Address: x.x.x.x
User-Name: 00-01-02-E0-9E-B1
Device-type: Microsoft-Workstation
Device-name: wks-pc
VRF: CORPORATE_VN
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 78579s
Common Session ID: 1E021E0A000001DDD1EBC3E4
Acct Session ID: 0x00000219
Handle: 0x380001d3
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Local Policies:

Server Policies:
VN Value: CORPORATE_VN
Vlan Group: Vlan: xxx
SGT Value: yyy

Method status list:
Method State
dot1x Stopped
mab Authc Success

MHM Cisco World · ‎11-15-2023

Do you use Order dot1x mab in your config?

katerina.dardoufa · ‎11-15-2023

Yes, dot1x/mab is used in the configuration. But I would think that if the device got authenticated, it would try to reauthenticate once the timer expires (48hours) and not every minute.

MHM Cisco World · ‎11-15-2023

Share config let me see

katerina.dardoufa · ‎11-16-2023

I am sharing part of the configuration.

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session host-mode multi-domain
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X_TIMEOUT do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

EN-MK-F0-CR-A8-1#sh run all | begin 3/0/43
interface GigabitEthernet3/0/43
mvrp timer leave-all 1000
mvrp timer leave 60
mvrp timer join 20
no mvrp timer periodic
no mvrp
switchport
switchport access vlan 1
switchport trunk native vlan tag
switchport trunk allowed vlan all
no switchport autostate exclude
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
no switchport vepa enabled
no switchport app-interface
switchport voice vlan 2046
switchport port-security maximum 65535 vlan voice
no switchport port-security mac-address sticky
device-tracking attach-policy IPDT_POLICY vlan all
ip flow monitor DNAC-FNF input
ip flow monitor DNAC-FNF output
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
logging event link-status
load-interval 300
carrier-delay 2
no shutdown
power inline port priority low
power inline auto max 30000
power inline static
power inline never
power inline police
no medium p2p
cdp log mismatch duplex
cdp tlv location
cdp tlv server-location
cdp tlv app
ipv6 mld snooping tcn flood
no macsec replay-protection
mpls mtu 9100
mpls mldp
authentication timer unauthorized 0
authentication linksec policy
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
cts role-based enforcement
dot1x timeout tx-period 7
dot1x max-reauth-req 3
no mka pre-shared-key
mka default-policy
bfd enable
arp arpa
arp timeout 14400
lldp transmit
lldp receive
lldp tlv-select power-management
lldp tlv-select 4-wire-power-management
source template DefaultWiredDot1xClosedAuth
channel-group auto
spanning-tree portfast disable
spanning-tree portfast trunk
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree port-priority 128
spanning-tree cost 0
ethernet oam max-rate 10
ethernet oam min-rate 1
ethernet oam remote-loopback timeout 2
ethernet oam timeout 5
hold-queue 2000 in
hold-queue 40 out
ip igmp snooping tcn flood
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map

HTH

andy!doesnt!like!uucp · ‎11-16-2023

i guess u hit this event by getting some eapol packet from windows machine. check the machine events log & wired NIC security settings
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10

katerina.dardoufa · ‎11-21-2023

Weirdly enough... the logs stopped all by themselves at some point...

Didn't ever get down to finding the root cause. I will have to wait to see if the problem reappears.

andy!doesnt!like!uucp · ‎11-21-2023

maybe windows admins did something with machine's supplicant :0)

mjbright757 · ‎02-07-2024

I'm experiencing this same issue with various endpoints (printers, ip phones, etc) with a site I just converted to IBNS2.0. I've got the same log messages occurring roughly every 1-3 minutes (it varies) and in 1 day, ISE shows 47,640 hits on my policy set for IBNS2.0 for the ip phones. And that's 1 site with maybe 10-15 phones. My ISE IBNS1.0 policy set that targets my other 120 sites with a total of roughly 4,000 ip phones, shows only 8,192 hits for the day.

My first thought was the event agent-found match-all being triggered, but I've ssh'd into the ip phones and verified device authentication is disabled on them. Checked a handful of the printers and other non Windows machines as well, but 802.1x was disabled on all of them.

I just added the Reauthentication Timer and Radius:Idle-Timeout attributes to my AuthzProfiles for these endpoints and set them to 28800 and 36000 respectfully. This sets the session-timeout on the interface to 8hrs and idle-timeout to 10hrs, which may not be ideal, but so far it seems to have solved the issue as my logs have cleaned up. Will have to wait and see what ISE numbers report tomorrow.