802.1x accounting does not reflect correct port status
I've just discovered an issue when trying to use MSFT supplicant and Cisco 802.1x accounting. This makes 802.1x accounting completely unusable.
1. MSFT supplicant does not send EAPOL-Logoff messages and there's no way to enable this (btw. Aegis client does not send it either, except when disabling interface).
2. I am doing machine authentication along with domain authentication.
3. Windows XP SP2 is used with EAP registry hacks applied.
4. PEAP/MS-CHAPv2 method is used.
Now when the computer is started it is logged into 802.1x with 'host/machine' account and RADIUS accounting start is sent by the switch. That's fine.
When a user logs on with its 'domain\user' identity, then EAPOL-Start is sent from the host triggering new EAP message exchange and the user is authenticated correctly. However the switch sends Interim Accounting still using 'host/machine' credentials which is obviously wrong.
Even more bizarre accounting happens when the user subsequently logs off from the machine. The EAPOL-Start is sent from the host triggering new authentication process for 'host/machine' identity and the host is authenticated ok. The accounting being sent is:
- first Accounting Stop for 'host/machine' User-Name
- then strange Interim Accounting with most attributes empty or missing
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...