12-21-2007 08:16 AM - edited 03-09-2019 07:42 PM
Seems to me IOS does not work as documentation states when handling dot1x authentication. I believe the latest 12.2 IOS should not reauthenticate a client if the MAC address has not changed (with dot1x reauth disabled of course). However I have tested this and it seems the switch always sends EAPOL even if I use same PC on the same port. Is this a bug?
Solved! Go to Solution.
12-21-2007 10:27 AM
There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.
Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).
What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.
Hope this helps,
12-21-2007 08:32 AM
Could I see the config on the port?
Is this is switch-initiated re-auth, or a client-initiated re-auth?
I gather you're not expecting the re-auth, right?
12-21-2007 09:40 AM
Here is the port config....
interface FastEthernet2/5
switchport access vlan 135
switchport mode access
logging event link-status
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x auth-fail vlan 444
dot1x guest-vlan 176
spanning-tree portfast
Looks like switch wants to reauth after client goes into sleep mode
12-21-2007 09:44 AM
OK, thanks for the info.
The switch probably wants to re-auth after the client goes into sleep mode b/c link is bouncing on your port (and probably comes back up) when you put it to sleep.
So, it's not a "re-auth". From the switch perspective, it's as if you unplugged the cable, then plugged it back in. Except that when you plug it back in, of course, the machine is asleep, so it won't answer the requests from the switch.
This is exactly why you need the following command though:
dot1x control-direction in
So you can send a WoL frame from the network to wake the machine back up if you need to. If the port never went down, or a supplicant never sends an EAPOL-Logoff to the switch, the port would remain authorized, so you wouldn't need the command to begin with.
Hope this info helps, but it seems like expected behavior unless I'm missing something,
12-21-2007 10:11 AM
You are exactly right. Just annoying that the client gets moved to Guest Vlan when it goes into sleep mode.
In the dot1x IOS document it says a MAC history is kept on the port. What would this be for if not to keep the same client authenticated?
12-21-2007 10:27 AM
There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.
Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).
What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.
Hope this helps,
12-21-2007 12:40 PM
Thanks for the work-around - that's awesome. We were going to enable MAB for our printers anyway.
Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: