Re: dot1x authentication fails after switch reboot

katerina.dardoufa · ‎11-26-2024

Hi,

I have noticed that in some cases when a switch reboots, dot1x authentication fails. This goes on until I disable authentication on the port. If I enable it after some time, everything works fine. I was thinking of adding all the mac addresses in ISE, just as a workaround, but clearly this solution is not sustainable.

Is there something I am missing or any changes I need to make on the configuration?

My setup is as follows:

radius server ISE1
address ipv4 xxxxxxx auth-port 1812 acct-port 1813
timeout 4
retransmit 3
automate-tester username dummy ignore-acct-port probe-on
key 7 123E175A435B56558E

radius server ISE2
address ipv4 yyyyyyy auth-port 1812 acct-port 1813
timeout 4
retransmit 3
automate-tester username dummy ignore-acct-port probe-on
key 7 123E175A435B56558E

aaa group server radius RADIUS_GROUP
server name ISE1
server name ISE2
ip radius source-interface Vlan1

aaa server radius dynamic-author
client xxxxxxx server-key zzzzzzzzz
client yyyyyyy server-key zzzzzzzzz

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 10 tries 3

#aaa commands
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization auth-proxy default group RADIUS_GROUP
aaa accounting auth-proxy default start-stop group RADIUS_GROUP
aaa accounting dot1x default start-stop group RADIUS_GROUP
aaa accounting update newinfo periodic 2880

#enable dot1x
dot1x system-auth-control
dot1x logging verbose

# interface configuration
interface GigabitEthernet1/0/x
switchport mode access
switchport port-security violation restrict
switchport port-security aging time 120
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 500
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 7
dot1x timeout supp-timeout 2
dot1x max-req 1
spanning-tree portfast
ip verify source

Thanks!

Georg Pauwen · ‎11-27-2024

Hello,

tough one, as this could be caused by timing issues, or even port security. Not sure what you have already tried, but this is what I would do:

There used to be the command 'dot1x reauthentication deferred' which temporarily disables reauthentication when the switch reboots, not sure if that command is (still) available on your platform.

If that does not help, change the following timers:

radius-server dead-criteria time 30 tries 3

dot1x timeout tx-period 15

dot1x max-req 5

dot1x timeout supp-timeout 5

I (obviously) don't know if changing these values interferes with your security policy. You might want to change them one by one, in order to check if changing any of those makes a difference.

Hope that helps...

katerina.dardoufa · ‎12-24-2024

Hello Georg,

Thank you for the suggestions and I am sorry that it took so long for me to reply. The command "dot1x reauthentication deffered" is not supported on the platform, but I removed the command "authentication event server dead action authorize vlan x" from the interface config. I have a feeling that the switch comes up way before the router, when the is a power outage, the end devices are put into vlan x when the radius server is down, so I chose not to reauthenticate them when the server was again responsive. I think this solved the issue.