Dot1x reauthentication happens every 90 seconds

Unanswered Question
May 5th, 2007

Hi,

We activated dot1x authentication on a WS-C3560-24PS port (IOS 12.2(25) -several subversions) for the authentication of an IpTel. After the successful authentication we see in the ACS logs (and with a dot1x debug) that this client is reauthenticated every 90 seconds, despite the fact that we configured the reauth-period very high. Even if we disable the reauthentication on this port, the reauthentication continues every 90 seconds.

Does anyone knows how we can stop this ?

Thanks in advance,

Philippe

**********

hsatriu29#sh running int fa0/6

interface FastEthernet0/6

switchport access vlan 234

switchport mode access

switchport voice vlan 851

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 1

switchport port-security aging type inactivity

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout reauth-period 43200

dot1x timeout ratelimit-period 1200

dot1x reauthentication

spanning-tree portfast

end

hsatriu29#sh deb

dot1x:

Dot1x events debugging is on

hsatriu29#sh dot1x int fa0/6 det

Dot1x Info for FastEthernet0/6

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 43200 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 1200

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0080.9f60.83f0

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 43200

ReAuthAction = Reauthenticate

TimeToNextReauth = 43157

Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A

May 5 19:07:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:07:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f0

....

May 5 19:09:08: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:09:08: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f

May 5 19:10:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:10:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Thu, 05/10/2007 - 11:28

the reauthentication time can be modified on the AP by using the command "dot1x reauth-period", which will set a re authentication period for the wireless client.

On the other hand the command "dot11 holdoff-time" specify the hold-off time for EAP and MAC authentication. This will affect both authentications,.

lni1 Sat, 05/12/2007 - 09:48

I'm afraid I don't understand your answer. We don't use at all Wireless AP's in this case. We only have a fixed IpPhone directly connected to a switchport ...

lni1 Sun, 07/08/2007 - 09:42

Hello again,

In the meantime we found out that the port-security aging of the mac-address of the IpTel in the native vlan seems to be the trigger for the dot1x reauthentication. This can be checked easily by running a "deb dot1x ev" and a "deb port-sec" at the same time. Moreover if you change the "switchport port-security aging time" you'll see that the dot1x reauthentication period changes also.

As a temporally solution we have set the "switchport port-security aging time" to a high value in order to reduce the number of dot1x reauthentications. We also are investigating the IOS release 12.2.37. It seems that Cisco has changed quite a lot in the dot1x part of this new release ....

Philippe

jafrazie Sun, 07/08/2007 - 12:17

Can I ask what you're attempting to solve with configuring psec along with 802.1X?

This is expected behavior based on the configuration, but isn't typically recommended (due to what you've experienced).

1X is typically a superset of psec anyway.

Let me know more when you get a chance,

bvj197222 Tue, 11/08/2011 - 02:30

Hello,

so 802.1x and port-security configured together for a port is not recommended? In a doc for IOS 12.2.44 I found this;

"A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

- if port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

- If 802.1X detects the violation, the action is to err-disable the port.

As far as I know we run single mode. That means that there's no point activating both 802.1x and port-security on one port, as 802.1x default only allows one host pr port unless multi-host mode is activated?

Actions

This Discussion