Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
63
Views
0
Helpful
1
Replies

DOT1X Not Authenticating On Client Restarts

IES Sys Admin
Level 1
Level 1

‎06-26-2025 12:40 PM - edited ‎06-26-2025 12:48 PM

I have DOT1X set up on our C9300 access ports with a MAB backup. The network policy is to authenticate with the computer name and the certificate. If I turn the computer on I get the following error:

DOT1X-5 FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (MACADDRESS) with reason (Timeout) on Interface Gi1/0/1 AuditSessionID 13200000000F0000003315ADE30389 Username: host/MONITOR1.DOMAIN.NET

When looking for the authentication session details it says the following:

Interface: GigabitEthernet1/0/1
IIF-ID: 0x1C44F0A1
MAC Address: <computer mac address>
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: <computer mac address>
Status: Unauthorized
Domain: UNKNOWN
Oper Host Mode: single-host
Oper Control Dir: both
Session timeout: N/A
Common Session ID: 1F030000400000206FADE9032934
Current Policy: DOT1x

Method Status List:
Method         State
dot1x          Stopped
mab            Authc Failed

If login to the computer I have to go to the network connections windows and it tells me I need to Sign In. It then authenticates. Why is it doing this? Here is one of the port configurations and the are all the same.

switchport access vlan 74
switchport mode access
switchport block unicast
ip arp inspection trust
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
dot1x timeout auth-period 60
storm-control broadcast level bps 62m
storm-control unicast level bps1
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy type control subscriber DOT1x_CHECK

 This is Service-Policy

policy-map type control subscriber DOT1x
 event session-started match-all
  10 class always do-all
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event violation match-all
  10 class always do-all
   10 restrict
 event authentication-failure match-all
  10 class AAA-DOWN do-all
   10 terminate dot1x
   20 terminate mab
  20 class DOT1X-FAILED do-all
  10 authenticate using mab
 event inactivity-timeout match-all
  10 class always do-all
   10 unauthorize
   20 clear-session
 event agent-found match-all
  10 class always do-all
   10 authenticate using dot1x
Labels:
0 Helpful
1 Reply 1

marce1000
Hall of Fame
Hall of Fame

‎06-26-2025 11:10 PM

 

 - @IES Sys Admin    Check logs on the authentication server(s) ,for this authentication (RADIUS, ISE...)

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents