Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Failed Authentication - Confusing

I am having some confustion currently while looking into devices that fail authentication through the ACS.  When looking at the reporting tool for the ACS I see a device (Dell laptop) show up on the same switch port with around 900 failed authentication attempts per day.  I follow that up with a check on the MAC address table for that switch.  I see devices connected (through a hub), but not the one that is failing.  On the switch port there is the hub, 2 Dell laptops (but not the one getting logged in the ACS) and a VTC unit.

To add to the confusion, only the VTC unit shows a IP on the ARP table of the firewall.  Not sure where to go from here. 

1 ACCEPTED SOLUTION

Accepted Solutions

ACS Failed Authentication - Confusing

Robert,

I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.

So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
10 REPLIES

ACS Failed Authentication - Confusing

Robert,

Can you post the port configuration? If you are running newer code you may be running authentication host mode single. Try running the command "authentication host mode multi-auth"

Here is some reference material when it comes to the different host modes:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1240475

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS Failed Authentication - Confusing

Port configuration:

interface GigabitEthernet1/0/12

     switchport access vlan 2

     switchport mode access

     authentication control-direction in

     authentication host-mode multi-auth

     authentication port-control auto

     mab

Will look at the refrence material also, thanks.

ACS Failed Authentication - Confusing

Robert,

What is the failure reason? also are you using dynamic vlan assignment?

can you post the "show authentication sessions interface gig 1/0/12"

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS Failed Authentication - Confusing

Output attached with MAC table for that port (no paste option?).

5 sessions on the interface, only 4 MACs show on the address table.  Does the failed MAB session not get shown on the table?

We do use dynamic vlan assignment.

Re: ACS Failed Authentication - Confusing

Robert,

Are you on vlan 2 or vlan 200? Are you using dynamic vlan assignment?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS Failed Authentication - Confusing

The ports are set up in vlan 2, on passing authenticaiton they get moved over to vlan 200.

ACS Failed Authentication - Confusing

Robert,

What version of code and model of switch are you running?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS Failed Authentication - Confusing

It's a 2960S switch running 12.2(55)SE5.

ACS Failed Authentication - Confusing

Robert,

I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.

So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS Failed Authentication - Confusing

Thats what I needed to know, thanks.  Its disapointing though...

510
Views
0
Helpful
10
Replies
CreatePlease login to create content