cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
385
Views
0
Helpful
2
Replies

auth-fail vlan won't support re-authentication

bert.lefevre
Level 1
Level 1

We're using ACS 1113 Appliance with ACS version 4.1.4.13. via the RADIUS attributes, clients are re-authenticated every 16 hours. The machine cache is set to 12 hours. This means that, if the user doesn't log off within 16 hours, he will be denied network access because of Machine Access Restriction (which is normal).

The problem is, at this point, the SSC client keeps trying and trying to authenticate. It never stops trying until the user logs off or reboots (sometimes this can takes days to weeks (f.e. on vacation). This results in a log entry, every 4 seconds (because of timeout tx-period settings), for every user that is in the MAR. Now you can imagine that, in an environment with 4000 users that the loggings become unusable because of the enormous amount of (unnecessary) failed attempts logs.

I've tried the following dot1x attributes on the switchport but they don't seem to work:

dot1x max-req 3

dot1x max-reauth-req 3

I was hoping they would stop the authentication attempts after 3 unsuccesfull tries, but it doesn't help.

Then I thought I found a solution: the auth-fail vlan. Then we have only 3 logs before the port falls into auth-fail, which is much better.

But, once he is into the auth-fail vlan, he never gets out! I tought that, if the user logs off, the network connection is closed, so at that point the machine authentication would be triggered. But he just stays in the auth-fail vlan until rebooted or the cable is removed. Isn't there any way to trigger the authentication when the user is logged off?

2 Replies 2

aghaznavi
Level 5
Level 5

Check if the "Default connection timeout" and "Default Association Timeout" values are configured properly in the client policy. Also check for the "max start" value in the connection settings for 802.1x. http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1/administration/guide/C2_SetupSSC.html#wp1056892

jafrazie
Cisco Employee
Cisco Employee

The only way out of the Auth-Fail-VLAN is an EAPOL-Logoff frame, or a link down, or a locally configured re-authentication on the port.

Hope this helps,

Either way, you could look into using EEM as a means to shot the port down hard after X number of failures are realized, and to leave the port down for a certain time before it's brought back up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: