cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1144
Views
5
Helpful
5
Replies

Dot1x NAC reauthentication issue

cheaseung
Level 1
Level 1

Hi,

i setup a test LAB with NAC Dot1x Framework, and i facing an issue where by the port keep on repeating triger reauthntication, althought the next reauthentication is not yet reach, i try configure re-authperiod to using local rather than radious server or event disable the reauthentication but the result is still the same

my lab is using a Cat3560 event upgrade with latest IOS ver c3560-advipservicesk9-mz.122-40.SE but is still the same

when show dot1x interface detail i notise the next re-auth is still alot of sec, but out of sudden the port juz reauthenticed, whereby the CAT detail show status reauthenticating,

CAT version 2.1.103.o with supplicant bundle.

i event try to modify the ctad.ini

SQTimer and all this make no difference

thx

5 Replies 5

jafrazie
Cisco Employee
Cisco Employee

Can you verify the source of your unexpected re-auth?

If it's the supplicant, you'll see an EAPOL-Start on the wire to initiate it (or maybe an EAPOL-Logoff, but unlikely).

If it's the switch, you'll see an EAPOL-Id-Request frame on the wire from the switch to the supplicant to initiate it.

Thanks,

Hi jafrazie,

i didn't saw EAPOL-Start or EAPOL-Logoff Request from the debug dot1x packet

in debug dot1x all it show

.Sep 15 12:16:43: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticator instance on GigabitEthernet0/41

.Sep 15 12:16:43: dot1x-sm:Posting REAUTHENTICATE on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_authenticated, got event 18(reAuthenticate)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_authenticated -> auth_restart

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_exit called

.Sep 15 12:16:43: dot1x-sm:dot1x_auth_stop_reauth_timer called for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_enter called

.Sep 15 12:16:43: dot1x-ev:Sending create new context event to EAP for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_restart_action called

.Sep 15 12:16:43: dot1x-sm:Posting !EAP_RESTART on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_restart, got event 6(no_eapRestart)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_restart -> auth_connecting

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_connecting_action called

.Sep 15 12:16:43: dot1x-packet:Received an EAP request packet from EAP for mac 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Posting RX_REQ on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_connecting, got event 11(eapReq_no_reAuthMax)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_connecting -> auth_authenticating

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticating_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_authenticating_action called

.Sep 15 12:16:43: dot1x-sm:Posting AUTH_START on Client=31CC01C

iz switch itself genarate the re-auth itself

what could cos this?

could it be something wrong with my config, i do try without NAC, just purely dot1x authentication with original winXP SP2 is still the same

thx,

LIMCS

Your psec configuration is most likely tripping a re-auth on you every minute. OUY could set the aging criteria to inactivity, or ..

I would humbly recommend disabling psec in this scenario. 1X itself will limit the port to only a single MAC anway, and there's no such thing as aging for it really .. after all, that's why you might want re-auth for to begin with.

Hope this helps,

hey jaffrazie,

thx alot, u r so great

Thank you, man. I solved my issue )))

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: