Solved: 802.1x / Radius: Can't reject a user!

Difan Zhao · ‎04-20-2010

Good afternoon,

I have been struggling on this problem for a while. Basically my Radius server (Linux based Freeradius, not Cisco ACS) send a Reject packet but the switch (WS-3750-24PS) somehow OVERWRITE the result and authorized the port!! The following is the debug on the switch:

*Mar 1 00:02:49.877: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed state to up

*Mar 1 00:02:50.884: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/5, changed state to up

IDF.100#

*Mar 1 00:02:54.063: %DOT1X-5-FAIL: Authentication failed for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9

IDF.100#

*Mar 1 00:02:54.063: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9

... (Repeated for another 2 times)

*Mar 1 00:02:57.117: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9

*Mar 1 00:02:57.117: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9

I also captured the packets and I will attach it here as well.

I do know that it hasn't finished a full EAP (I am using PEAP for Win XP clients) cycle and rejected it a little bit earlier. However based on the RFC 3579 the switch should reject the request upon receiving a Reject:

"Reception of a RADIUS Access-Reject packet MUST result in the NAS denying access to the authenticating peer" (Section 2.1 on page 5)

I have also tried firmware 12.2(50) and 12.2(52) and I am currently running the newest 12.2(53) but they behave the same...

Any ideas why it would do that and will there be a fix?

Thank you!

Difan

IT-Servicedesk · ‎02-07-2019

I also had "%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client" messages and initially couldn't find what was going on and why this client wouldn't connect or authenticated properly...

But then I figured out that the client with the same MAC was also registred on another switchport that was configured with a "switchport port-security mac-address sticky".

As the device got connected on a 'sticky' port, the MAC address was registered and kept in config and AAA doesn't want to authenticate it again as the MAC is already in the MAC-table.

>> sh mac address-table | incl <MAC>

see if the MAC is already registered on another port.

View solution in original post

KaneGota5 · ‎04-23-2010

Hi zhaodifan

I have installed freeradius on my test box running Gentoo, and i have a Cisco 2960 switch which i had 802.1x enabled and radius, bear in my mind i am stil in the testing phase using a Win XP SP3 PC as the client.

The idea behind this is that the client will be a "server running anytype of OS" , the switch(12.(2) 53) and the freeradius server, first the server will be allocated to a specific port (i enabled port security by MAC) and then the switch will be the intermediator between the server and free radius.

My question is how will the server initiate the authentication automatically, is there some Cisco software i have to install on the server or 3rd party package(software)?

Please help if you can i see you already have a almost similar setup to mine.

I work in a Security Banking environment and we have a PCI project i am part of.

Difan Zhao · ‎04-23-2010

Kane,

If you are using MAC address to authenticate the clients (or your servers), there is nothing you need to install. You need to configure your switch to use the MAC address of the client to authenticate the device. It's called "MAC authentication bypass".

In this case the client will not respond to normal EAP packets (since it doesn't support it) and after timeout, the switch sends an Access-request to radius server with the MAC as BOTH the username and password.

Here is a howto if you are using Freeradius. http://wiki.freeradius.org/Mac-Auth

The configuration on the switch looks like:

interface FastEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 1
authentication event no-response action authorize vlan 100
authentication host-mode multi-domain
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
end

KaneGota5 · ‎08-16-2010

Hi

The commands you gave me i used them but the interface is shutdown soon after invoking them.

I have been doing some studying on the AAA radius into depth and there is mention of a methodlist.

Can you help me with defining a AAA method list for RADIUS authentication.Also
will this method list be the same for Accounting and Authorization? from the research i have done
i view a method list functioning the same way as a Access-list, am i correct by doing so?

To define a methodlist is it just Giving the list a name say "radmethlist" for example, and how
do i view the contents of the list? what command do i issue to view the method list created.

Please assist as i am lost, on where i made an error in the configs. i have attached a *.txt file with the commands i used for AAA config after general switch setup.

moomoomoo17 · ‎09-01-2010

Hi zhaodifan, Cisco Guys,

I can confirm the bug, we have following switch and portconfig:

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPSERVICESK9-M

interface GigabitEthernet0/39
switchport mode access
authentication event server dead action authorize vlan 9
authentication event no-response action authorize vlan 9
authentication event server alive action reinitialize
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
end

So, if dot1x is not supported by the client, or the radius server is down the client sould be put in vlan 9!

But sometimes this happens:

Aug 31 12:23:20 172.16.0.24 183428: Aug 31 10:23:20.472: %DOT1X-5-SUCCESS: Authentication successful for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E
Aug 31 12:23:22 172.16.0.24 183430: Aug 31 10:23:21.496: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E
Aug 31 12:23:51 172.16.0.24 183431: Aug 31 10:23:51.133: %DOT1X-5-FAIL: Authentication failed for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E
Aug 31 12:23:53 172.16.0.24 183433: Aug 31 10:23:52.164: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E
Aug 31 12:23:53 172.16.0.24 183434: Aug 31 10:23:52.164: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E

This "Override" results in the client to be put in the vlan it was before the "Authentication failed" and even worse:

It stays there forever! No reauthentificate takes place after the "Override" whatsoever.

What does %DOT1X-5-RESULT_OVERRIDE mean? How and why is it triggered?!

Cisco, take this serious!

IT-Servicedesk · ‎02-07-2019

I also had "%DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client" messages and initially couldn't find what was going on and why this client wouldn't connect or authenticated properly...

But then I figured out that the client with the same MAC was also registred on another switchport that was configured with a "switchport port-security mac-address sticky".

As the device got connected on a 'sticky' port, the MAC address was registered and kept in config and AAA doesn't want to authenticate it again as the MAC is already in the MAC-table.

>> sh mac address-table | incl <MAC>

see if the MAC is already registered on another port.

hslai · ‎02-17-2019

IT-Servicedesk, Thanks for contributing.

Even though I am not in the Cisco IOS platform team, I've seen "%DOT1X-5-RESULT_OVERRIDE" often enough. It means that it not meeting the local configuration. You found one of the triggers. The ones I often encountering are that the ACL name (e.g. REDIRECT ACL) not matching any defined on the switch configuration or the VLAN passed down from ISE is not defined.

TariqMohammed4752 · ‎03-22-2021

Encountered this hair-pulling challenge only to find out that a redirect ACL after reading this was not properly configured on the switch.