cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
763
Views
0
Helpful
6
Replies

802.1x Bug in Switch IOS ??

armonk_netdesk
Level 1
Level 1

Seems to me IOS does not work as documentation states when handling dot1x authentication. I believe the latest 12.2 IOS should not reauthenticate a client if the MAC address has not changed (with dot1x reauth disabled of course). However I have tested this and it seems the switch always sends EAPOL even if I use same PC on the same port. Is this a bug?

1 Accepted Solution

Accepted Solutions

There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.

Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).

What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.

Hope this helps,

View solution in original post

6 Replies 6

jafrazie
Cisco Employee
Cisco Employee

Could I see the config on the port?

Is this is switch-initiated re-auth, or a client-initiated re-auth?

I gather you're not expecting the re-auth, right?

Here is the port config....

interface FastEthernet2/5

switchport access vlan 135

switchport mode access

logging event link-status

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x auth-fail vlan 444

dot1x guest-vlan 176

spanning-tree portfast

Looks like switch wants to reauth after client goes into sleep mode

OK, thanks for the info.

The switch probably wants to re-auth after the client goes into sleep mode b/c link is bouncing on your port (and probably comes back up) when you put it to sleep.

So, it's not a "re-auth". From the switch perspective, it's as if you unplugged the cable, then plugged it back in. Except that when you plug it back in, of course, the machine is asleep, so it won't answer the requests from the switch.

This is exactly why you need the following command though:

dot1x control-direction in

So you can send a WoL frame from the network to wake the machine back up if you need to. If the port never went down, or a supplicant never sends an EAPOL-Logoff to the switch, the port would remain authorized, so you wouldn't need the command to begin with.

Hope this info helps, but it seems like expected behavior unless I'm missing something,

You are exactly right. Just annoying that the client gets moved to Guest Vlan when it goes into sleep mode.

In the dot1x IOS document it says a MAC history is kept on the port. What would this be for if not to keep the same client authenticated?

There's nothing that can be done about this. I'm not even sure what "MAC history" means, but if the port goes down, it's cleared anyway.

Now, I may have a workaround for you here. MAC-Auth-Bypass (MAB). MAB authenticates machines that cannot speak 1X be their MAC address. If it fails and you also have the Guest-VLAN turned on, the port will go into the Guest-VLAN anyway (to support backward compatibility). From a processing perspective, MAB is attempted after 1X, but before the Guest-VLAN (which just authorizes a port blindly).

What this means for your scenario here is that if you enable MAB, you can put a machine to sleep which will bounce the port). 802.1X will time out (since your machine is asleep). Then, MAB will kick in and initiate. However, it will be hung there until the device sends traffic, and if it's asleep it won't be sending any. This way, the port doesn't go into the Guest-VLAN when going to sleep, and you can wake the machine up from whatever VLAN is configured natively on the port.

Hope this helps,

Thanks for the work-around - that's awesome. We were going to enable MAB for our printers anyway.

Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: