09-13-2017 01:53 AM - edited 03-08-2019 12:00 PM
Hi Community,
I'm preparing config for 802.1x deployment and encountered a problem. I'm using IBNS 2.0 syntax like below and try to make "dot1x timeout tx-period" lower, from 30 to 10 seconds. Unfortunately after switch reload, command "dot1x timeout tx-period" is missing in running-config but is present in the startup-config. Because of that switch send EAPOL frame every 30 sec which is to long for me. Is there any way to accomplish my goal with IBNS 2.0?
Switch 2960X with IOS 15.2(2)E6:
Before reload:
running-config:
interface GigabitEthernet1/0/1
switchport access vlan 110
dot1x timeout tx-period 10
source template ISE
startup-config:
interface GigabitEthernet1/0/1
switchport access vlan 110
dot1x timeout tx-period 10
source template ISE
After reload:
running-config:
interface GigabitEthernet1/0/1
switchport access vlan 110
dot1x timeout tx-period 10 <- command is missing
source template ISE
startup-config:
interface GigabitEthernet1/0/1
switchport access vlan 110
dot1x timeout tx-period 10
source template ISE
Config:
dot1x system-auth-control
dot1x logging verbose
dot1x critical eapol
!
!
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template CRITICAL
access-group ACL_CRITICAL
voice vlan
service-template CRITICAL_ACCESS
access-group ACL_CRITICAL
service-template CRITICAL_VOICE
voice vlan
!
class-map type control subscriber match-all AAA_DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_ACCESS
match activated-service-template CRITICAL_VOICE
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_ACCESS
match activated-service-template CRITICAL_VOICE
!
policy-map type control subscriber POLICY_DOT1X_MAB5
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_ACCESS
20 activate service-template CRITICAL_VOICE
50 authorize
60 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event aaa-available match-all
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
!
template ISE
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode access
source template IP_PHONE_INTERFACE_TEMPLATE
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber POLICY_DOT1X_MAB5
!
interface GigabitEthernet1/0/1
switchport access vlan 110
dot1x timeout tx-period 10
source template ISE
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server RADIUS_ISE02
address ipv4 IP_1 auth-port 1645 acct-port 1646
automate-tester username RADIUS-TEST probe-on
key 7 ***
!
radius server RADIUS_ISE01
address ipv4 IP_2 auth-port 1645 acct-port 1646
automate-tester username RADIUS-TEST probe-on
key 7 ***
09-13-2017 03:22 AM
Try adding the command to your source template ISE.
09-13-2017 03:26 AM
Hi chyps,
thank you for the quick response. Unfortunately there is no such command under template
c2960x(config)#template ISE
c2960x(config-template)#dot
c2960x(config-template)#dot1x ?
pae Set 802.1x interface pae type
c2960x(config-template)#
09-13-2017 10:26 AM
This appears an issue either specific to IBNS 2.0 and 15.2(2)E6 on 2960X. So, I am moving your question to Switching
09-19-2017 01:43 AM
Team,
is the command dot1x timeout tx-period deprecated now? Is there any plan to implement it with interface template feature? Or maybe there is other, better way to send dot1x frames from Catalyst switch in shorter interval?
03-13-2019 08:30 AM
Hi,
I don;t know if i am right or not so i hope one of the experts can reply.
Do we still need the dot1x timeout tx period cmd when using IBNS 2.0 ?
As far as i know from reading the docs that one of the benefits of IBNS 2.0 is the concurrent flexauth which means that when the session is started both Dot1x and MAB are trying in Parallel with Priority to Dot1x no no need anymore for the fallback sequence.
I hope someone will clarify this.
btw i tried this command on my c2960L switch and i can see it in the cli
10-29-2021 04:31 AM
Hi,
I know this is a very old post, but i recently ran into the same problem with my 2960X switches.
I think maybe the problem is the order in which the config is loaded into the interface.
When testing on a default interface i am not able to post the "dot1x timeout tx-period 10" or any dot1x command before i have enabled my "source template DOT1X-port"
My workaround for this 'little problem' is to use the EEM (Embedded Event Manager) to paste the startup-config back into the running-config just after restart of the switch.
It may be a bit crude, but it works, and a wise man once told me: "If it's stupid but it works, it's not stupid."
Anyway, here is the command set i use to make it work on my setup.
The username is a must since we use tacacs to authorize commands.
event manager session cli username "prime-admin"
event manager applet PUSH_START_RUN
event syslog pattern "SYS-5-RESTART"
action 2.0 cli command "enable"
action 2.1 cli command "copy start run" pattern "running-config"
action 2.2 cli command "running-config"
action 2.3 cli command "wr me"
I hope it may help someone in the same situation.
Janne K.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: