"Authentication Periodic" Command on Dot1x

fdharmawan · ‎01-22-2019

Hi Guys,

Is "authentication periodic" command a prerequisite for dot1x authentication?

We are currently testing dot1x authentication for LAN. The laptops and desktops are authenticated using dot1x, while IP phones and other devices are authenticated using MAB. In the process, we found out that some of the desktops whose connection are sourced from IP phone got unauthorized, even though at the beginning those desktops got authorized.

When I see the logs in ISE, somehow the desktop just would not use dot1x as authentication method. It keeps using MAB as authentication method. The notification on the user's workstation is "authentication failed". I tried to remove the "authentication periodic" command and restart the port but it won't go away. Somehow unplug and plug the cable back to the desktop works. I do not know what is the difference here.

Below is my configuration

GLOBAL CONFIG

aaa group server radius ISE
server name ISE1
server name ISE2
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880

aaa server radius dynamic-author
client ISE1_IP server-key mykey
client ISE2_IP server-key mykey
device-tracking policy TRACKING
no protocol udp
tracking enable

dot1x system-auth-control
dot1x critical eapol

ip access-list extended ACL-DEFAULT
permit udp any any eq domain
permit udp any eq bootpc any eq bootps
deny ip any any

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3

INTERFACE CONFIG

interface Te2/0/19
switchport access vlan User
switchport mode access
switchport voice vlan Telephony
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security
device-tracking attach-policy TRACKING
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan User
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication violation restrict
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

Below is the example of the log

Jan 22 14:40:11.024 XYZ: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (Desktop_MAC) on Interface TenGigabitEthernet2/0/19 AuditSessionID 0A98200600001658747533E7

Any idea what's going on?

Thank you.

Georg Pauwen · ‎01-22-2019

Hello.

'authentication periodic' is used for reauthentication (in conjunction with the 'authentication timer reauthenticate' command), so it should not affect the actual initial dot1x authentication.

That said, try and change:

authentication host-mode multi-auth

to:

authentication host-mode multi-domain

or

authentication host-mode multi-host

fdharmawan · ‎01-22-2019

Hi Georg,

I tried multi-host before but it did not work for my environment. Will try multi-domain.

Just wondering why the device got authenticated at the first place but got unauthenticated somewhere along the road. Even the authentication method was changed from dot1x to MAB.

Georg Pauwen · ‎01-22-2019

Hello,

there is always a chance that this could be a bug. What platform and IOS do you have (sh ver) ?

fdharmawan · ‎01-22-2019

Hi Georg,

My current IOS is 16.3.5b

Georg Pauwen · ‎01-22-2019

What is your platform (e.g. 3850) ? Are you using Cisco IP Phones, or are these third party phones ?

fdharmawan · ‎01-22-2019

Hi Georg,

I'm using 3850 and 7861 Cisco IP phones

Mark Malone · ‎01-22-2019

Hi just to add to try to stop it going to MAB try below

authentication order dot1x
authentication priority dot1x

fdharmawan · ‎01-22-2019

Hi Mark,

I need the MAB since some computers are connected via IP phone, not directly to switch. Though I tried using "authentication order dot1x mab", but both method failed. Below is the output of the log.

Jan 22 16:11:42.544 XYZ: %DOT1X-5-FAIL:Switch 1 R0/0: smd: Authentication failed for client (PC_MAC) on Interface Te2/0/19 AuditSessionID 0A98200600001658747533E7
Jan 22 16:11:42.567 XYZ: %SESSION_MGR-5-FAIL:Switch 1 R0/0: smd: Authorization failed or unapplied for client (PC_MAC) on Interface TenGigabitEthernet2/0/19 AuditSessionID 0A98200600001658747533E7

Cheers.

Mark Malone · ‎01-22-2019

ok cool cos i actually use MAB so here as a comparison is a working example of my ISE port setup , ive had no issues with drop offs etc
were running ios-xe too, 3.6.7b 3ks and 3.8.6 4ks

interface GigabitEthernet1/5/12
description Voice and Data
switchport access vlan xxx
switchport mode access
switchport voice vlan xxxxx
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
ip access-group PERMIT-ANY in
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 166
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
auto qos trust
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 7

#show auth sessions interface g1/5/12 de | i mab
mab Authc Success

fdharmawan · ‎01-22-2019

Hi Mark,

Thank you for the input. Will try the priority and order method and post the feedback here.

Cheers.

BrianPersaud · ‎09-23-2019

Hi I am having the exact issue. Did you find a resolution for this?

Thanks

fdharmawan · ‎09-24-2019

Hi Brian,

Can you specify what is your problem?

randms2610 · ‎01-22-2019

I think what @fdharmawan wants here is to authenticate desktop using dot1x but authenticate the ip phone using mab.

And from what i understand, some desktop are connected to the switch with the ip phone inline...please confirm if this correct

that aside, so you already apply the command authentication order dot1x mab but the desktop that was previously passed the dot1x auth somehow then tries to authenticate again using mab and failed. Have you tried to reverse the authentication order?