Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3124
Views
0
Helpful
5
Replies

Dot1x reauthentication happens every 90 seconds

lni1
Level 1
Level 1

‎05-05-2007 09:43 AM - edited ‎03-10-2019 03:08 PM

Hi,

We activated dot1x authentication on a WS-C3560-24PS port (IOS 12.2(25) -several subversions) for the authentication of an IpTel. After the successful authentication we see in the ACS logs (and with a dot1x debug) that this client is reauthenticated every 90 seconds, despite the fact that we configured the reauth-period very high. Even if we disable the reauthentication on this port, the reauthentication continues every 90 seconds.

Does anyone knows how we can stop this ?

Thanks in advance,

Philippe

**********

hsatriu29#sh running int fa0/6

interface FastEthernet0/6

switchport access vlan 234

switchport mode access

switchport voice vlan 851

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 1

switchport port-security aging type inactivity

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout reauth-period 43200

dot1x timeout ratelimit-period 1200

dot1x reauthentication

spanning-tree portfast

end

hsatriu29#sh deb

dot1x:

Dot1x events debugging is on

hsatriu29#sh dot1x int fa0/6 det

Dot1x Info for FastEthernet0/6

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = MULTI_HOST

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 43200 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 1200

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0080.9f60.83f0

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

ReAuthPeriod = 43200

ReAuthAction = Reauthenticate

TimeToNextReauth = 43157

Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A

May 5 19:07:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:07:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f0

....

May 5 19:09:08: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:09:08: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f

May 5 19:10:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat

or instance on FastEthernet0/16

May 5 19:10:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.

83f0

Labels:
0 Helpful
5 Replies 5

smalkeric
Level 6
Level 6

‎05-10-2007 11:28 AM

the reauthentication time can be modified on the AP by using the command "dot1x reauth-period", which will set a re authentication period for the wireless client.

On the other hand the command "dot11 holdoff-time" specify the hold-off time for EAP and MAC authentication. This will affect both authentications,.

0 Helpful

lni1
Level 1
Level 1
In response to smalkeric

‎05-12-2007 09:48 AM

I'm afraid I don't understand your answer. We don't use at all Wireless AP's in this case. We only have a fixed IpPhone directly connected to a switchport ...

0 Helpful

lni1
Level 1
Level 1
In response to lni1

‎07-08-2007 09:42 AM

Hello again,

In the meantime we found out that the port-security aging of the mac-address of the IpTel in the native vlan seems to be the trigger for the dot1x reauthentication. This can be checked easily by running a "deb dot1x ev" and a "deb port-sec" at the same time. Moreover if you change the "switchport port-security aging time" you'll see that the dot1x reauthentication period changes also.

As a temporally solution we have set the "switchport port-security aging time" to a high value in order to reduce the number of dot1x reauthentications. We also are investigating the IOS release 12.2.37. It seems that Cisco has changed quite a lot in the dot1x part of this new release ....

Philippe

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to lni1

‎07-08-2007 12:17 PM

Can I ask what you're attempting to solve with configuring psec along with 802.1X?

This is expected behavior based on the configuration, but isn't typically recommended (due to what you've experienced).

1X is typically a superset of psec anyway.

Let me know more when you get a chance,

0 Helpful

bvj197222
Level 1
Level 1
In response to jafrazie

‎11-08-2011 02:30 AM

Hello,

so 802.1x and port-security configured together for a port is not recommended? In a doc for IOS 12.2.44 I found this;

"A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

- if port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

- If 802.1X detects the violation, the action is to err-disable the port.

As far as I know we run single mode. That means that there's no point activating both 802.1x and port-security on one port, as 802.1x default only allows one host pr port unless multi-host mode is activated?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents