802.1x Bug in Switch IOS ??

Answered Question
Dec 21st, 2007
User Badges:

Seems to me IOS does not work as documentation states when handling dot1x authentication. I believe the latest 12.2 IOS should not reauthenticate a client if the MAC address has not changed (with dot1x reauth disabled of course). However I have tested this and it seems the switch always sends EAPOL even if I use same PC on the same port. Is this a bug?

Correct Answer by jafrazie about 9 years 6 months ago

There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.


Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).


What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.


Hope this helps,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jafrazie Fri, 12/21/2007 - 08:32
User Badges:
  • Cisco Employee,

Could I see the config on the port?


Is this is switch-initiated re-auth, or a client-initiated re-auth?


I gather you're not expecting the re-auth, right?

armonk_netdesk Fri, 12/21/2007 - 09:40
User Badges:

Here is the port config....


interface FastEthernet2/5

switchport access vlan 135

switchport mode access

logging event link-status

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x auth-fail vlan 444

dot1x guest-vlan 176

spanning-tree portfast


Looks like switch wants to reauth after client goes into sleep mode

jafrazie Fri, 12/21/2007 - 09:44
User Badges:
  • Cisco Employee,

OK, thanks for the info.


The switch probably wants to re-auth after the client goes into sleep mode b/c link is bouncing on your port (and probably comes back up) when you put it to sleep.


So, it's not a "re-auth". From the switch perspective, it's as if you unplugged the cable, then plugged it back in. Except that when you plug it back in, of course, the machine is asleep, so it won't answer the requests from the switch.


This is exactly why you need the following command though:

dot1x control-direction in


So you can send a WoL frame from the network to wake the machine back up if you need to. If the port never went down, or a supplicant never sends an EAPOL-Logoff to the switch, the port would remain authorized, so you wouldn't need the command to begin with.


Hope this info helps, but it seems like expected behavior unless I'm missing something,



armonk_netdesk Fri, 12/21/2007 - 10:11
User Badges:

You are exactly right. Just annoying that the client gets moved to Guest Vlan when it goes into sleep mode.


In the dot1x IOS document it says a MAC history is kept on the port. What would this be for if not to keep the same client authenticated?

Correct Answer
jafrazie Fri, 12/21/2007 - 10:27
User Badges:
  • Cisco Employee,

There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.


Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).


What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.


Hope this helps,



armonk_netdesk Fri, 12/21/2007 - 12:40
User Badges:

Thanks for the work-around - that's awesome. We were going to enable MAB for our printers anyway.


Thanks again!

Actions

This Discussion