Solved: 802.1x / access-session Client Drops Connectivity

RobertMeany9257 · ‎01-01-2020

I'm working on configuring RADIUS authentication on our network and have run into an issue where, after successfully getting authorized on a port, the supplicant drops about 2 seconds worth of packets every 30 seconds or so.

I have the following debug logging enabled to troubleshoot:

Radius protocol debugging is on
Radius protocol verbose debugging is on
Radius packet protocol (authentication) debugging is on
Radius packet retransmission debugging is on
Auth Manager:
  Auth Manager errors debugging is on
  Auth Manager events debugging is on
  Auth Manager detailed debugs debugging is on
  Auth Manager sync debugging is on
Policy Manager:
  Policy Manager Actions debugging is on

During the brief outages, no messages are logged from any of these services.

general config commands for dot1x:

ip radius source-interface Vlan200

aaa authentication dot1x default group radius
aaa authorization network default group radius local


dot1x system-auth-control

dot1x logging verbose

identity profile default
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template guest-vlan
description < This service template gets applied to an interface when a client fails to authenticate via dot1x or mab >
vlan 64
interface-template guest-vlan-interface-template

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative

policy-map type control subscriber CPS_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 activate service-template guest-vlan
30 authorize
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10

template guest-vlan-interface-template
switchport access vlan 64
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet1/0/1
switchport mode access
access-session host-mode multi-host
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber CPS_POLICY

#sho access-session

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi1/0/1      1860.2484.8868 dot1x   DATA    Auth      0A0BC8640000102666D05C80

Session count = 1

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Is there anything anyone can see wrong with this configuration that would be the cause of the packet drops? Suggestions for where to look further?

RobertMeany9257 · ‎01-01-2020

... And removing the "ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0" command seems to have fixed this particular problem. The technical details of why this was causing the problem are beyond me, but it works.

Of course, that means windows clients can potentially have issues with duplicate IP address detection again...

So, referring back to https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html#anc12

, I am going to instead use the "ip device tracking probe delay 10" command on our switches, which does not cause the intermittent connectivity issue, and hope that works for us.

View solution in original post

RobertMeany9257 · ‎01-01-2020

It looks like it may be related to IPDT...

debugging IPDT, the following messages get logged every time connectivity is lost:

Jan  1 20:52:39.494: sw_host_track-ev:ARP packet received from ARP snooper(Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32)
Jan  1 20:52:39.495: sw_host_track-ev:host_track_notification: Add event for host - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:0 ARP)
Jan  1 20:52:39.495: sw_host_track-ev:Async Wired Add event - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:0 ARP)
Jan  1 20:52:39.495: sw_host_track-ev:MSG = Host Track Add Entry
Jan  1 20:52:39.495: sw_host_track-ev:Add event: 1860.2484.8868, 10.11.32.74, GigabitEthernet1/0/1
Jan  1 20:52:39.495: sw_host_track-ev:Cache entry refreshed (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP)
Jan  1 20:52:39.495: sw_host_track-ev:Activating host - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP)
Jan  1 20:52:39.495: sw_host_track-ev:Starting cache timer: 30 seconds - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56)
Jan  1 20:52:39.495: sw_host_track-notify:host_track_activate_entry Notify other features: activate -(Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP)

I have the following config command entered on our switches, which is a workaround for our windows clients, who were dropping their IP address assignments due to IPDT causing the windows clients to believe they had a duplicate IP address.

Not sure if it is related but I'll try removing it and see what happens...

ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0 override

RobertMeany9257 · ‎01-01-2020

... And removing the "ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0" command seems to have fixed this particular problem. The technical details of why this was causing the problem are beyond me, but it works.

Of course, that means windows clients can potentially have issues with duplicate IP address detection again...

So, referring back to https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html#anc12

, I am going to instead use the "ip device tracking probe delay 10" command on our switches, which does not cause the intermittent connectivity issue, and hope that works for us.