Re: CBS350-24P-4X - dot1x mac reauthenticate - Page 2

vbussiro · ‎02-11-2022

Hi folks,

Trying to use radius authentication for mac addresses.

First it seems ok, at first plug, supplicant is correctly authenticated

10-Feb-2022 16:54:28 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:xx:xx:xx is authorized on port gi2/0/14

But if unplug it and then plug in back again, status stays unauthenticated and I can't see any request to radius server...

relevant part of the config :

dot1x system-auth-control

dot1x traps authentication failure 802.1x mac

dot1x traps authentication success 802.1x mac

dot1x supplicant traps authentication failure

dot1x supplicant traps authentication success

dot1x mac-auth radius

encrypted dot1x mac-auth password *removed*

encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x

aaa authentication login SSH local

aaa authentication enable SSH enable

aaa authentication login Console local

aaa accounting dot1x start-stop group radius

interface GigabitEthernet2/0/14

dot1x guest-vlan enable

dot1x reauthentication

dot1x timeout reauth-period 300

dot1x authentication mac

dot1x radius-attributes vlan static

dot1x port-control auto

firmware up to date, i'm stuck.

vbussiro · ‎02-11-2022

There's no IPhone involved. Your cases are not clear for me. I use a QNAP and its two nics (one with mac allowed in radius) for my testing.

Behaviour :

qnap plugged in for the first time : authentication ok

qnap unplugged then plugged in again : no authentication, port stay unauthorized without asking anything to the radius server

qnap unplugged and its second nic (whose mac is not allowed) : no "auth refused" message at all, nothing asked to the radius server

qnap plugged on another port, not previously used : auth ok

qnap 2nd nic plugged on a third port, not previously used : auth refused

MHM Cisco World · ‎02-11-2022

what I am saying the SW send request to 802.1x in one of three case:-
link down
inactivity "this config in global mode"
CDP "this support only to IPhone"

when you plug and unplug does the link go down ?
if the link not go down then the SW will assume that the other side device still connect and don't send auth request to 802.1x server.

vbussiro · ‎02-11-2022

Link goes down when I unplug :

test from 1st nic (allowed in radius), plugged for the first time (at 15:30:53, auth ok), then unplugged (15:32:39 link down), and plugged back (15:33:03 no auth done) :

11-Feb-2022 15:30:53 %LINK-I-Up: gi1/0/21
11-Feb-2022 15:30:54 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/21 is unAuthorized
11-Feb-2022 15:30:58 %STP-W-PORTSTATUS: gi1/0/21: STP status Forwarding
11-Feb-2022 15:30:58 %SEC-I-PORTAUTHORIZED: Port gi1/0/21 is Authorized
11-Feb-2022 15:30:58 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:21:05:b0 is authorized on port gi1/0/21

11-Feb-2022 15:32:29 %LINK-W-Down: gi1/0/21

11-Feb-2022 15:33:03 %LINK-I-Up: gi1/0/21
11-Feb-2022 15:33:03 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/21 is unAuthorized
11-Feb-2022 15:33:07 %STP-W-PORTSTATUS: gi1/0/21: STP status Forwarding

MHM Cisco World · ‎02-11-2022

This short time it around 24 sec,

You need 30 sec x max-try = around 1.5 to 2 min.

Please do again with this time and see result.

MHM Cisco World · ‎02-11-2022

Are you test again?

Note:-

802.1x + mab using two model,

1- wait until not get reply from client then start mab

2- start mab if it failed then start 802.1x

For you case it model one,

So you must wait some time before mab start to work,

This time can config or be default.

vbussiro · ‎02-14-2022

Back to business, I'll test it this mornig (CEST time zone). But I'm quite sure this won't change anything, since if I firts plug a "refused" mac then an accepted one, it works immediatly.

vbussiro · ‎02-14-2022

So... I use a QNAP with its 2 nics to test. firts nic mac is allowed, 2nd is not.

first nic plugged in :

4-Feb-2022 08:32:09 %LINK-I-Up: Vlan 500
14-Feb-2022 08:32:09 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/25 is unAuthorized
14-Feb-2022 08:32:14 %STP-W-PORTSTATUS: gi1/0/25: STP status Forwarding
14-Feb-2022 08:32:14 %LINK-I-Up: Vlan 100
14-Feb-2022 08:32:14 %SEC-I-PORTAUTHORIZED: Port gi1/0/25 is Authorized
14-Feb-2022 08:32:14 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:21:05:b0 is authorized on port gi1/0/25

Then 5 min later, unplugged, and 2nd nic plugged :

14-Feb-2022 08:37:51 %LINK-W-Down: Vlan 100
14-Feb-2022 08:37:51 %LINK-W-Down: Vlan 500
14-Feb-2022 08:37:54 %LINK-I-Up: gi1/0/25
14-Feb-2022 08:37:54 %LINK-I-Up: Vlan 500
14-Feb-2022 08:37:54 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/25 is unAuthorized
14-Feb-2022 08:37:59 %STP-W-PORTSTATUS: gi1/0/25: STP status Forwarding

And I waited 10 min for another message, but nothing and port is unauthorized. Well you could say it's normal since this mac is not allowed, but i should have seen the "auth refused message" and a request to the radius, but there isn't.

Then I plug back the 1st nic :

14-Feb-2022 08:48:33 %LINK-W-Down: gi1/0/25
14-Feb-2022 08:48:33 %LINK-W-Down: Vlan 500
14-Feb-2022 08:48:35 %LINK-I-Up: gi1/0/25
14-Feb-2022 08:48:35 %LINK-I-Up: Vlan 500
14-Feb-2022 08:48:40 %STP-W-PORTSTATUS: gi1/0/25: STP status Forwarding

Same thing, no request, now for 5min, port stay unauthorized.

Then just to be sure, plug the first nic in another port of the switch (never previously used since last reboot) :

14-Feb-2022 08:54:45 %LINK-W-Down: gi1/0/25
14-Feb-2022 08:54:45 %LINK-W-Down: Vlan 500
14-Feb-2022 08:54:47 %LINK-I-Up: gi1/0/27
14-Feb-2022 08:54:47 %LINK-I-Up: Vlan 500
14-Feb-2022 08:54:47 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/27 is unAuthorized
14-Feb-2022 08:54:52 %STP-W-PORTSTATUS: gi1/0/27: STP status Forwarding
14-Feb-2022 08:54:53 %LINK-I-Up: Vlan 100
14-Feb-2022 08:54:53 %SEC-I-PORTAUTHORIZED: Port gi1/0/27 is Authorized
14-Feb-2022 08:54:53 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:21:05:b0 is authorized on port gi1/0/27

And it's now authorized back again. Further testing, 2nd nic on another switch port, not previously used :

14-Feb-2022 08:57:06 %LINK-I-Up: gi1/0/31
14-Feb-2022 08:57:06 %LINK-I-Up: Vlan 500
14-Feb-2022 08:57:06 %SEC-W-PORTUNAUTHORIZED: Port gi1/0/31 is unAuthorized
14-Feb-2022 08:57:10 %STP-W-PORTSTATUS: gi1/0/31: STP status Forwarding
14-Feb-2022 08:57:11 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server

Again expected beahviour... So I don't think the problem is on timeout.

vbussiro · ‎02-14-2022

A bit of more intel :

With 2nd nic still plugged in with the latest step of testing :

14-Feb-2022 08:57:11 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 08:58:11 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 08:59:13 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 09:00:13 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 09:01:14 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 09:02:15 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 09:03:17 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server
14-Feb-2022 09:04:21 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi1/0/31 due to wrong user name or password in Radius server

Switch tries to auth regularly, each 60sec. Which is normal I think (again, that's my first dot1x lab with this CBS350)

What's not normal is the fact that a "once auth port" won't try to auth again.

MHM Cisco World · ‎02-14-2022

With work port, the port is get vlan 100 from radius server ?

What is the guest vlan here ?

vbussiro · ‎02-14-2022

vlan 100 is indeed assigned by radius server, and vlan 500 is the guest vlan. Here are relevant parts of the config :

dot1x guest-vlan timeout 30
vlan database
vlan 100,200,300,400,500

dot1x system-auth-control
dot1x traps authentication failure 802.1x mac
dot1x traps authentication success 802.1x mac
dot1x supplicant traps authentication failure
dot1x supplicant traps authentication success
dot1x mac-auth radius
encrypted dot1x mac-auth password *removed*

encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x

aaa accounting dot1x start-stop group radius

interface vlan 100
name Bureaux
!
interface vlan 500
name Public
dot1x guest-vlan
!
interface GigabitEthernet1/0/1
dot1x guest-vlan enable
dot1x reauthentication
dot1x timeout reauth-period 300
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport access vlan 500

same config for gi1/0/1-47