12-11-2019 03:32 PM - edited 12-11-2019 03:36 PM
We have been having this issue for quite some time now, and I finally have time to actually pose the question here as I cannot come up with anything searching.
On all of our 3750x's and some (if not all) of our 3650's, we have some port types that have dot1x and MAB auth for daisy-chained PCs and IP phones.
My syslog gets flooded with massive amounts of DOT1X and MAB auth failures and I think we have narrowed it down to being caused when a user has a laptop docked, but the screen is locked and they are not actively logged onto it.
The biggest problem is that the switches seem to be trying to re-authenticate on the same devices ever 30 seconds indefinitely, which causes the situation in the attached image. This doesn't seem to be IOS specific as we have seen this behavior of various levels of code.
Port Config:
description daisy_com switchport access vlan [VLAN MASKED] switchport mode access switchport nonegotiate switchport voice vlan [VLAN MASKED] authentication host-mode multi-domain authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity 120 authentication violation replace mab no snmp trap link-status dot1x pae authenticator dot1x timeout tx-period 3 storm-control broadcast level pps 500 storm-control multicast level pps 500 storm-control action trap macro description port-uservoip no cdp enable spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 10 end
Is there something glaringly obvious that I am missing here? Any help is appreciated. Thanks!
EDIT: Looks like my screenshot may not have uploaded properly. Here is the text:
2019-12-11 17:14:09 Local7.Notice [switch name masked] 163375: Dec 11 18:14:08.045 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:14:09 Local7.Notice [switch name masked] 163374: Dec 11 18:14:08.014 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:12:59 Local7.Notice [switch name masked] 163373: Dec 11 18:12:58.006 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:12:59 Local7.Notice [switch name masked] 163372: Dec 11 18:12:57.978 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:11:49 Local7.Notice [switch name masked] 163371: Dec 11 18:11:47.957 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:11:49 Local7.Notice [switch name masked] 163370: Dec 11 18:11:47.927 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:10:39 Local7.Notice [switch name masked] 163369: Dec 11 18:10:37.910 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:10:39 Local7.Notice [switch name masked] 163368: Dec 11 18:10:37.884 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:09:29 Local7.Notice [switch name masked] 163367: Dec 11 18:09:27.872 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:09:29 Local7.Notice [switch name masked] 163366: Dec 11 18:09:27.848 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:08:19 Local7.Notice [switch name masked] 163365: Dec 11 18:08:17.831 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:08:19 Local7.Notice [switch name masked] 163364: Dec 11 18:08:17.807 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:07:09 Local7.Notice [switch name masked] 163363: Dec 11 18:07:07.799 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:07:09 Local7.Notice [switch name masked] 163362: Dec 11 18:07:07.766 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:05:59 Local7.Notice [switch name masked] 163361: Dec 11 18:05:57.745 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:05:59 Local7.Notice [switch name masked] 163360: Dec 11 18:05:57.718 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:04:48 Local7.Notice [switch name masked] 163359: Dec 11 18:04:47.698 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:04:48 Local7.Notice [switch name masked] 163358: Dec 11 18:04:47.674 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:03:38 Local7.Notice [switch name masked] 163357: Dec 11 18:03:37.654 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:03:38 Local7.Notice [switch name masked] 163356: Dec 11 18:03:37.625 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:02:28 Local7.Notice [switch name masked] 163355: Dec 11 18:02:27.610 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:02:28 Local7.Notice [switch name masked] 163354: Dec 11 18:02:27.588 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:01:18 Local7.Notice [switch name masked] 163353: Dec 11 18:01:17.568 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:01:18 Local7.Notice [switch name masked] 163352: Dec 11 18:01:17.545 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:00:08 Local7.Notice [switch name masked] 163351: Dec 11 18:00:07.522 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 17:00:08 Local7.Notice [switch name masked] 163350: Dec 11 18:00:07.495 EST: %DOT1X-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74 2019-12-11 16:58:58 Local7.Notice [switch name masked] 163349: Dec 11 17:58:57.481 EST: %MAB-5-FAIL: Authentication failed for client ([masked].e5c7) on Interface Gi2/0/16 AuditSessionID 0A29401E00000FDA046F4F74
01-31-2020 10:21 AM
If the frequent authentication attempts is what's bothering you, read this document:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a3.html
Specifically the following command:
authentication timer restart
If what's bothering you is your RADIUS logs, there are solutions in place for ISE (and possibly others). For ISE have a look at collection filters.
02-01-2020 03:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide