Critical Authentication VLAN

Answered Question
Jul 10th, 2012
User Badges:

Hello


I have got a problem with the critical authentication vlan. The connection to the radius-server works. If I cut the connection to the server, then moves the cisco cathalyst all new hosts in the critical vlan.

When the radius-server is reachable again, the hosts will remain for 20 minutes in the critical VLAN. Why is this so?


And another problem is that despite the switch "dot1x critical EAPOL" sends no eap-success to the supplicant. The connection manager shows the compound to have failed, although it works.

What can that be?



Her some commands:


(global)

authentication critical recovery delay 2000

dot1x critical eapol

radius-server dead-criteria time 10 tries 3




interface FastEthernet0/1

switchport mode access

authentication event server dead action authorize vlan 3000

authentication event server alive action reinitialize

authentication port-control auto

  dot1x pae authenticator

dot1x timeout quiet-period 3

dot1x timeout tx-period




Thanks for the help.


Marco

Correct Answer by Tarik Admani about 4 years 11 months ago

Marco,


Good find, I completely forgot to take the radius server dead criteria into play. Here are some settings which you can use to speed up the time if you dont want to use the probe method:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html


It says the default is set to 0, can you verify to see if this was set to 20 (radius-server deadtime)?


thanks,



Tarik Admani
*Please rate helpful posts*

Correct Answer by marco.merlo about 4 years 11 months ago

Afaik windows supplicant default behaviour is to not process any access request from the switch during  20 minutes after getting an explicit access-reject. See kb957931 on ms site support.microsoft.com/kb/957931. May be this applies even when a supplicant request has got timed-out because of an un-responsive radius server, but I am not sure.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Tarik Admani Tue, 07/10/2012 - 09:36
User Badges:
  • Green, 3000 points or more

Marco,


What version of code  and switch are you running this on?


Thanks,

Tarik Admani

Tarik Admani Tue, 07/10/2012 - 12:42
User Badges:
  • Green, 3000 points or more

As far as the delay I dont see why it would take 20 minutes before the authentication even is triggered. Can you run a debug radius authentication to capture this event. Both when the client gets placed in the critical vlan and then when the radius server is initiailized. Also what are you doing to simulate the server dead scenario? Are you dropping the port or using an ACL?


Also what client/supplicant are you running on the end station?


Thanks,

Tarik Admani

Marco Serato Tue, 07/10/2012 - 13:27
User Badges:

I can make a trace. I have already analyse the trace. There is no abnormal activities. If the radius is not available, the port moves all new authenticated hosts in the critical vlan. So far everything is normal.

While the port is in the critical vlan, there is no traffic, only stp. And 20 minutes later the switch sends an access-request to the radius. And the radius authenticate the client again and move them in a client-vlan.

I use Windows 7 as client system.

I think there is a timer. And if the timer exceeded, the switch sends an authentication again.

Marco Serato Thu, 07/12/2012 - 06:56
User Badges:

The problem is solved. I used the command, that the switch generate requests for the radius: radius-server host test username xyz.


Thanks for help.

Correct Answer
marco.merlo Thu, 09/13/2012 - 09:37
User Badges:

Afaik windows supplicant default behaviour is to not process any access request from the switch during  20 minutes after getting an explicit access-reject. See kb957931 on ms site support.microsoft.com/kb/957931. May be this applies even when a supplicant request has got timed-out because of an un-responsive radius server, but I am not sure.

Correct Answer
Tarik Admani Thu, 09/13/2012 - 11:55
User Badges:
  • Green, 3000 points or more

Marco,


Good find, I completely forgot to take the radius server dead criteria into play. Here are some settings which you can use to speed up the time if you dont want to use the probe method:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html


It says the default is set to 0, can you verify to see if this was set to 20 (radius-server deadtime)?


thanks,



Tarik Admani
*Please rate helpful posts*

Marco Serato Fri, 09/14/2012 - 00:43
User Badges:

Thanks for your answers.

The hotfix does not bring an effect. And the radius-server deadtime = 0.

But I think it can be the right answer for other people.


Thanks.

Actions

This Discussion