Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x multiple sessions with same LOGIN+MAC on single-host port

We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.

From time to time user seems to get multiple authentications on single port with single mac-address.

So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.

Happens with different users.

Anybody seen this issue?

IOS 12.2(46)SE

Everyone's tags (3)
2 REPLIES

802.1x multiple sessions with same LOGIN+MAC on single-host port

Could you please post your config and also "show authentication session " and "show dot1x detail" ?

New Member

802.1x multiple sessions with same LOGIN+MAC on single-host port

Sure. Tried to make it short.

Config for 802.1x-aaa:

!

aaa new-model

!

!

aaa group server radius default

  server X.X.X.X auth-port 12345 acct-port 12346

!

aaa authentication login default group radius enable

aaa authentication dot1x default group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network default local group radius

aaa authorization reverse-access default group radius

aaa accounting suppress null-username

aaa accounting update periodic 1

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

!

!

aaa session-id common

!

dot1x system-auth-control

!

!

!

interface FastEthernet0/48

switchport access vlan 1398

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode shutdown

spanning-tree portfast

spanning-tree link-type point-to-point

!

!

radius-server attribute 44 include-in-access-req

radius-server attribute 44 extend-with-addr

radius-server attribute 188 format non-standard

radius-server attribute 218 mandatory

radius-server attribute 32 include-in-accounting-req format %i %h %d

radius-server attribute 55 include-in-acct-req

radius-server attribute list att

attribute 30-31,44

!

radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey

radius-server vsa send accounting

!

sh dot1x int fa 0/48 det

Dot1x Info for FastEthernet0/48
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = SHUTDOWN
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

Dot1x Authenticator Client List Empty

Port Status               = UNAUTHORIZED

And right now, while port is UNAUTHORIZED we have 2 sessions as follows:

sh aaa user all

--------------------------------------------------
Unique id 34974 is currently in use.
Accounting:
  log=0x208241
  Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
  update method(s) :
    PERIODIC
  update interval = 60
  Outstanding Stop Records : 0
  Dynamic attribute list:
    0244DC34 0 00000001 connect-progress(44) 4 Auth Open
    0244DC48 0 00000001 pre-session-time(272) 4 0(0)
    0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
    0244DC70 0 00000001 input-giga-words(111) 4 2(2)
    0244DC84 0 00000001 output-giga-words(250) 4 8(8)
    024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
    024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
    024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
    024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
    024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
    024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
    024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
    024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
  No data for type EXEC
  No data for type CONN
  NET: Username=(n/a)
    Session Id=000088AD Unique Id=0000889E
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34989(88AD)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
--------
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  8: Username=157102
    Session Id=000088AD Unique Id=0000889E
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      0244DB94 0 00000001 session-id(336) 4 34989(88AD)
      0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
      0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
--------
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 11
  No data for type 12
  No data for type CALL
  No data for type VPDN-TUNNEL
  No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
  TTY Num = -1
  Stop Received = 0
  Byte/Packet Counts till Call Start:
    Start Bytes In = 993512241     Start Bytes Out = 3867828098
    Start Paks  In = 23586320      Start Paks  Out = 28511581
  Byte/Packet Counts till Service Up:
    Pre Bytes In = 993519614     Pre Bytes Out = 3867836302
    Pre Paks  In = 23586388      Pre Paks  Out = 28511642
  Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks  In = 69526526      Paks  Out = 75491430
  StartTime = 16:22:08 GMT+5 Jan 23 2012
  AuthenTime = 16:22:08 GMT+5 Jan 23 2012
  Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
  Unique Id = 0000889E
  Session Id = 000088AD
  Attribute List:
    024A8C10 0 00000001 port-type(174) 4 Ethernet
    024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
    024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available

--------------------------------------------------
Unique id 34976 is currently in use.
Accounting:
  log=0x10000208241
  Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
    SESSION INFO
  update method(s) :
    PERIODIC
  update interval = 60
  Outstanding Stop Records : 0
  Dynamic attribute list:
    024CAA00 0 00000001 connect-progress(44) 4 Auth Open
    024CAA14 0 00000001 pre-session-time(272) 4 2(2)
    024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
    024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
    024CAA50 0 00000001 output-giga-words(250) 4 8(8)
    024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
    024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
    024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
    024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
    024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
    0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
    0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
    0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
  No data for type EXEC
  No data for type CONN
  NET: Username=(n/a)
    Session Id=000088AF Unique Id=000088A0
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024A8C10 0 00000001 session-id(336) 4 34991(88AF)
      024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
--------
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  8: Username=157102
    Session Id=000088AF Unique Id=000088A0
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34991(88AF)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
      024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
--------
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 11
  No data for type 12
  No data for type CALL
  No data for type VPDN-TUNNEL
  No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
  TTY Num = -1
  Stop Received = 0
  Byte/Packet Counts till Call Start:
    Start Bytes In = 993533200     Start Bytes Out = 3867849339
    Start Paks  In = 23586534      Start Paks  Out = 28511761
  Byte/Packet Counts till Service Up:
    Pre Bytes In = 993539419     Pre Bytes Out = 3867856344
    Pre Paks  In = 23586593      Pre Paks  Out = 28511812
  Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks  In = 69526526      Paks  Out = 75491430
  StartTime = 16:22:18 GMT+5 Jan 23 2012
  AuthenTime = 16:22:19 GMT+5 Jan 23 2012
  Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
  Unique Id = 000088A0
  Session Id = 000088AF
  Attribute List:
    0244DB94 0 00000001 port-type(174) 4 Ethernet
    0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
    0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available

--------------------------------------------------

PS. Have no command "show authentication"

745
Views
0
Helpful
2
Replies