Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
5
Replies

dot1x client authentication every 10 minutes?

Chris.Mes
Level 1
Level 1

‎06-08-2022 09:46 PM

Hello,
we have an ISE 2.7.0.356 and Cisco switch WS-C3560X-48P.
A few clients are authenticating every 10 minutes, first they fail, then succeed.
They alway loose the connection for some time.
This is how the switch-log looks like (this client is authenticated by its MAC-address configured in the ISE. But other client with same issue is authenticated by certificate).

Any suggestions?
Thanks.
Jun 9 03:49:07.574: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD52C9ADB8B
Jun 9 03:49:09.075: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD62CA412D7
Jun 9 03:49:10.678: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD62CA412D7
Jun 9 03:50:26.411: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD62CA412D7
Jun 9 03:59:11.451: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD62CA412D7
Jun 9 03:59:12.869: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD82CAD492F
Jun 9 03:59:14.261: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD82CAD492F
Jun 9 04:00:30.380: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD82CAD492F
Jun 9 04:09:14.910: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BD82CAD492F
Jun 9 04:09:16.328: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDC2CB67DDC
Jun 9 04:09:17.830: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDC2CB67DDC
Jun 9 04:10:33.748: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDC2CB67DDC
Jun 9 04:19:18.124: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDC2CB67DDC
Jun 9 04:19:19.744: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDD2CBFB30F
Jun 9 04:19:21.254: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDD2CBFB30F
Jun 9 04:20:37.776: %DOT1X-5-FAIL: Authentication failed for client (4b6c.91e0.5937) on Interface Gi0/19 AuditSessionID 0A64010200000BDD2CBFB30F

Labels:
0 Helpful
5 Replies 5

Jitendra Kumar
Spotlight
Spotlight

‎06-08-2022 09:56 PM - edited ‎06-08-2022 10:05 PM

edited:-

 

could you please look into the dACL.

 

i see " AuditSessionID"  has been resolved in below discussion 

https://community.cisco.com/t5/network-access-control/ise-first-authorization-sucess-and-then-fail-mab/td-p/2099621

 

hope it will help you..

 

Thanks,

Jitendra

 

 

Thanks,
Jitendra
0 Helpful

reccon
Level 1
Level 1

‎06-08-2022 10:15 PM

Hi

 

Can you post the configuration of Interface Gi0/19.

Have you checked the live log of this client on the ise server at the time the authentication fails?

 

0 Helpful

Chris.Mes
Level 1
Level 1

‎06-09-2022 12:42 AM

This is the interface config:
!
interface GigabitEthernet0/19
switchport access vlan 111
switchport mode access
switchport voice vlan 244
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
mab
mls qos trust dscp
no macro auto processing
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast edge
end

0 Helpful

Chris.Mes
Level 1
Level 1

‎06-09-2022 04:06 AM

When changing the order
authentication order mab dot1x
the client keeps connected to network.
It seems when it does dot1x, it tries dot1x 3 times and then waits another 75-80 seconds until it is connected again.
So the client is down for approx. 90 seconds every 10 minutes.
But I still have no idea, why this reauthentication takes place so often?
20220609_ISE.jpg

0 Helpful

Jitendra Kumar
Spotlight
Spotlight
In response to Chris.Mes

‎06-09-2022 04:55 AM

 

can see dot1x and MAB simultaneously making the closed mode issue .

seems requiring the attach device to the dot1x authentication-the switch will not initiate unless mab.---try this

 

Thanks,

Jitendra

Thanks,
Jitendra
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card