Dot1x Authentication Problem on 3850

fdharmawan · ‎01-21-2019

Hi Guys,

Is "authentication periodic" command a prerequisite for dot1x authentication?

We are currently testing dot1x authentication for LAN. The laptops and desktops are authenticated using dot1x, while IP phones and other devices are authenticated using MAB. In the process, we found out that some of the desktops whose connection are sourced from IP phone got unauthorized, even though at the beginning those desktops got authorized.

When I see the logs in ISE, somehow the desktop just would not use dot1x as authentication method. It keeps using MAB as authentication method. The notification on the user's workstation is "authentication failed". I tried to remove the "authentication periodic" command and restart the port but it won't go away. Somehow unplug and plug the cable back to the desktop works. I do not know what is the difference here.

Below is my configuration

GLOBAL CONFIG

aaa group server radius ISE
server name ISE1
server name ISE2
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880

aaa server radius dynamic-author
client ISE1_IP server-key mykey
client ISE2_IP server-key mykey
device-tracking policy TRACKING
no protocol udp
tracking enable

dot1x system-auth-control
dot1x critical eapol

ip access-list extended ACL-DEFAULT
permit udp any any eq domain
permit udp any eq bootpc any eq bootps
deny ip any any

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

INTERFACE CONFIG

interface Te2/0/19
switchport access vlan User
switchport mode access
switchport voice vlan Telephony
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security
device-tracking attach-policy TRACKING
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan User
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication violation restrict
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

Below is the example of the log

Jan 22 14:40:11.024 XYZ: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (Desktop_MAC) on Interface TenGigabitEthernet2/0/19 AuditSessionID 0A98200600001658747533E7

Any idea what's going on?

Thank you.

pieterh · ‎01-22-2019

I'm missing somme port config commands, especially

authentication order dot1x mab

authentication priority dot1x mab

please compare to this sample config.

interface FastEthernet0

description Secure Access Edge with 802.1X & MAB

switchport mode access

switchport access vlan 10

switchport trunk native vlan 10

switchport voice vlan 100

no ip address

authentication control-direction in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 10

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast