05-05-2007 09:43 AM - edited 03-10-2019 03:08 PM
Hi,
We activated dot1x authentication on a WS-C3560-24PS port (IOS 12.2(25) -several subversions) for the authentication of an IpTel. After the successful authentication we see in the ACS logs (and with a dot1x debug) that this client is reauthenticated every 90 seconds, despite the fact that we configured the reauth-period very high. Even if we disable the reauthentication on this port, the reauthentication continues every 90 seconds.
Does anyone knows how we can stop this ?
Thanks in advance,
Philippe
**********
hsatriu29#sh running int fa0/6
interface FastEthernet0/6
switchport access vlan 234
switchport mode access
switchport voice vlan 851
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout reauth-period 43200
dot1x timeout ratelimit-period 1200
dot1x reauthentication
spanning-tree portfast
end
hsatriu29#sh deb
dot1x:
Dot1x events debugging is on
hsatriu29#sh dot1x int fa0/6 det
Dot1x Info for FastEthernet0/6
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 43200 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 1200
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0080.9f60.83f0
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 43200
ReAuthAction = Reauthenticate
TimeToNextReauth = 43157
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
May 5 19:07:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat
or instance on FastEthernet0/16
May 5 19:07:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.
83f0
....
May 5 19:09:08: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat
or instance on FastEthernet0/16
May 5 19:09:08: dot1x-ev:Sending create new context event to EAP for 0080.9f60.
83f
May 5 19:10:38: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticat
or instance on FastEthernet0/16
May 5 19:10:38: dot1x-ev:Sending create new context event to EAP for 0080.9f60.
83f0
05-10-2007 11:28 AM
the reauthentication time can be modified on the AP by using the command "dot1x reauth-period", which will set a re authentication period for the wireless client.
On the other hand the command "dot11 holdoff-time" specify the hold-off time for EAP and MAC authentication. This will affect both authentications,.
05-12-2007 09:48 AM
I'm afraid I don't understand your answer. We don't use at all Wireless AP's in this case. We only have a fixed IpPhone directly connected to a switchport ...
07-08-2007 09:42 AM
Hello again,
In the meantime we found out that the port-security aging of the mac-address of the IpTel in the native vlan seems to be the trigger for the dot1x reauthentication. This can be checked easily by running a "deb dot1x ev" and a "deb port-sec" at the same time. Moreover if you change the "switchport port-security aging time" you'll see that the dot1x reauthentication period changes also.
As a temporally solution we have set the "switchport port-security aging time" to a high value in order to reduce the number of dot1x reauthentications. We also are investigating the IOS release 12.2.37. It seems that Cisco has changed quite a lot in the dot1x part of this new release ....
Philippe
07-08-2007 12:17 PM
Can I ask what you're attempting to solve with configuring psec along with 802.1X?
This is expected behavior based on the configuration, but isn't typically recommended (due to what you've experienced).
1X is typically a superset of psec anyway.
Let me know more when you get a chance,
11-08-2011 02:30 AM
Hello,
so 802.1x and port-security configured together for a port is not recommended? In a doc for IOS 12.2.44 I found this;
"A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:
- if port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).
- If 802.1X detects the violation, the action is to err-disable the port.
As far as I know we run single mode. That means that there's no point activating both 802.1x and port-security on one port, as 802.1x default only allows one host pr port unless multi-host mode is activated?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: