Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1710
Views
1
Helpful
6
Replies

IBNS 2.0 missing "dot1x timeout tx-period" after switch reload

Bob Goal
Level 1
Level 1

‎09-13-2017 01:53 AM - edited ‎03-08-2019 12:00 PM

Hi Community,

I'm preparing config for 802.1x deployment and encountered a problem. I'm using IBNS 2.0 syntax like below and try to make "dot1x timeout tx-period" lower, from 30 to 10 seconds. Unfortunately after switch reload, command "dot1x timeout tx-period" is missing in running-config but is present in the startup-config. Because of that switch send EAPOL frame every 30 sec which is to long for me. Is there any way to accomplish my goal with IBNS 2.0?

Switch 2960X with IOS 15.2(2)E6:

Before reload:

running-config:

interface GigabitEthernet1/0/1

switchport access vlan 110

dot1x timeout tx-period 10

source template ISE

startup-config:

interface GigabitEthernet1/0/1

switchport access vlan 110

dot1x timeout tx-period 10

source template ISE

After reload:

running-config:

interface GigabitEthernet1/0/1

switchport access vlan 110

dot1x timeout tx-period 10   <- command is missing

source template ISE

startup-config:

interface GigabitEthernet1/0/1

switchport access vlan 110

dot1x timeout tx-period 10

source template ISE

Config:

dot1x system-auth-control

dot1x logging verbose

dot1x critical eapol

!

!

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

service-template CRITICAL

access-group ACL_CRITICAL

voice vlan

service-template CRITICAL_ACCESS

access-group ACL_CRITICAL

service-template CRITICAL_VOICE

voice vlan

!

class-map type control subscriber match-all AAA_DOWN

match result-type aaa-timeout

!

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match result-type aaa-timeout

match authorization-status authorized

!

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match result-type aaa-timeout

match authorization-status unauthorized

!

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

!

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!

class-map type control subscriber match-any IN_CRITICAL_AUTH

match activated-service-template CRITICAL_ACCESS

match activated-service-template CRITICAL_VOICE

!

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

match activated-service-template CRITICAL_ACCESS

match activated-service-template CRITICAL_VOICE

!

policy-map type control subscriber POLICY_DOT1X_MAB5

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

   20 authenticate using mab priority 20

event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template CRITICAL_ACCESS

   20 activate service-template CRITICAL_VOICE

   50 authorize

   60 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

   20 authorize

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  50 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x priority 10

event aaa-available match-all

  20 class NOT_IN_CRITICAL_AUTH do-until-failure

   10 resume reauthentication

!

template ISE

dot1x pae authenticator

spanning-tree portfast

spanning-tree bpduguard enable

switchport mode access

source template IP_PHONE_INTERFACE_TEMPLATE

mab

access-session closed

access-session port-control auto

authentication periodic

authentication timer reauthenticate server

service-policy type control subscriber POLICY_DOT1X_MAB5

!

interface GigabitEthernet1/0/1

switchport access vlan 110

dot1x timeout tx-period 10

source template ISE

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 10 tries 3

radius-server deadtime 15

!

radius server RADIUS_ISE02

address ipv4 IP_1 auth-port 1645 acct-port 1646

automate-tester username RADIUS-TEST probe-on

key 7 ***

!

radius server RADIUS_ISE01

address ipv4 IP_2 auth-port 1645 acct-port 1646

automate-tester username RADIUS-TEST probe-on

key 7 ***

Labels:
6 Replies 6

Craig Hyps
Level 10
Level 10

‎09-13-2017 03:22 AM

Try adding the command to your source template ISE.

0 Helpful

Bob Goal
Level 1
Level 1
In response to Craig Hyps

‎09-13-2017 03:26 AM

Hi chyps,

thank you for the quick response. Unfortunately there is no such command under template

c2960x(config)#template ISE

c2960x(config-template)#dot

c2960x(config-template)#dot1x ?

  pae  Set 802.1x interface pae type

c2960x(config-template)#

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎09-13-2017 10:26 AM

This appears an issue either specific to IBNS 2.0 and 15.2(2)E6 on 2960X. So, I am moving your question to Switching

0 Helpful

Bob Goal
Level 1
Level 1

‎09-19-2017 01:43 AM

Team,

is the command dot1x timeout tx-period deprecated now? Is there any plan to implement it with interface template feature? Or maybe there is other, better way to send dot1x frames from Catalyst switch in shorter interval?

0 Helpful

bern81
Level 1
Level 1
In response to Bob Goal

‎03-13-2019 08:30 AM

Hi,

 

I don;t know if i am right or not so i hope one of the experts can reply.

Do we still need the dot1x timeout tx period  cmd when using IBNS 2.0 ?

As far as i know from reading the docs that one of the benefits of IBNS 2.0 is the concurrent flexauth which means that when the session is started  both Dot1x and MAB are trying in Parallel with Priority to Dot1x no no need anymore for the fallback sequence.

 

I hope someone will clarify this.

btw i tried this command on my c2960L switch and i can see it in the cli

0 Helpful

Janne K.
Level 1
Level 1

‎10-29-2021 04:31 AM

Hi,

 

I know this is a very old post, but i recently ran into the same problem with my 2960X switches.

I think maybe the problem is the order in which the config is loaded into the interface.
When testing on a default interface i am not able to post the "dot1x timeout tx-period 10" or any dot1x command before i have enabled my "source template DOT1X-port"

My workaround for this 'little problem' is to use the EEM (Embedded Event Manager) to paste the startup-config back into the running-config just after restart of the switch.
It may be a bit crude, but it works, and a wise man once told me: "If it's stupid but it works, it's not stupid."

Anyway, here is the command set i use to make it work on my setup.
The username is a must since we use tacacs to authorize commands.

 

event manager session cli username "prime-admin"
event manager applet PUSH_START_RUN
event syslog pattern "SYS-5-RESTART"
action 2.0 cli command "enable"
action 2.1 cli command "copy start run" pattern "running-config"
action 2.2 cli command "running-config"
action 2.3 cli command "wr me"

 

I hope it may help someone in the same situation.

 

Janne K.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card