Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8534
Views
0
Helpful
8
Replies

Critical Authentication VLAN

Go to solution
Marco Serato
Level 1
Level 1

‎07-10-2012 06:28 AM - edited ‎03-10-2019 07:17 PM

Hello

I have got a problem with the critical authentication vlan. The connection to the radius-server works. If I cut the connection to the server, then moves the cisco cathalyst all new hosts in the critical vlan.

When the radius-server is reachable again, the hosts will remain for 20 minutes in the critical VLAN. Why is this so?

And another problem is that despite the switch "dot1x critical EAPOL" sends no eap-success to the supplicant. The connection manager shows the compound to have failed, although it works.

What can that be?

Her some commands:

(global)

authentication critical recovery delay 2000

dot1x critical eapol

radius-server dead-criteria time 10 tries 3

interface FastEthernet0/1

switchport mode access

authentication event server dead action authorize vlan 3000

authentication event server alive action reinitialize

authentication port-control auto

  dot1x pae authenticator

dot1x timeout quiet-period 3

dot1x timeout tx-period

Thanks for the help.

Marco

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marco.merlo
Level 1
Level 1
In response to Tarik Admani

‎09-13-2012 09:37 AM

Afaik windows supplicant default behaviour is to not process any access request from the switch during  20 minutes after getting an explicit access-reject. See kb957931 on ms site support.microsoft.com/kb/957931. May be this applies even when a supplicant request has got timed-out because of an un-responsive radius server, but I am not sure.

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to marco.merlo

‎09-13-2012 11:55 AM

Marco,

Good find, I completely forgot to take the radius server dead criteria into play. Here are some settings which you can use to speed up the time if you dont want to use the probe method:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html

It says the default is set to 0, can you verify to see if this was set to 20 (radius-server deadtime)?

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-10-2012 09:36 AM

Marco,

What version of code  and switch are you running this on?

Thanks,

Tarik Admani

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1
In response to Tarik Admani

‎07-10-2012 10:02 AM

I use IOS 12.2.(55)SE1.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marco Serato

‎07-10-2012 12:42 PM

As far as the delay I dont see why it would take 20 minutes before the authentication even is triggered. Can you run a debug radius authentication to capture this event. Both when the client gets placed in the critical vlan and then when the radius server is initiailized. Also what are you doing to simulate the server dead scenario? Are you dropping the port or using an ACL?

Also what client/supplicant are you running on the end station?

Thanks,

Tarik Admani

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1
In response to Tarik Admani

‎07-10-2012 01:27 PM

I can make a trace. I have already analyse the trace. There is no abnormal activities. If the radius is not available, the port moves all new authenticated hosts in the critical vlan. So far everything is normal.

While the port is in the critical vlan, there is no traffic, only stp. And 20 minutes later the switch sends an access-request to the radius. And the radius authenticate the client again and move them in a client-vlan.

I use Windows 7 as client system.

I think there is a timer. And if the timer exceeded, the switch sends an authentication again.

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1
In response to Marco Serato

‎07-12-2012 06:56 AM

The problem is solved. I used the command, that the switch generate requests for the radius: radius-server host test username xyz.

Thanks for help.

0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to Tarik Admani

‎09-13-2012 09:37 AM

Afaik windows supplicant default behaviour is to not process any access request from the switch during  20 minutes after getting an explicit access-reject. See kb957931 on ms site support.microsoft.com/kb/957931. May be this applies even when a supplicant request has got timed-out because of an un-responsive radius server, but I am not sure.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to marco.merlo

‎09-13-2012 11:55 AM

Marco,

Good find, I completely forgot to take the radius server dead criteria into play. Here are some settings which you can use to speed up the time if you dont want to use the probe method:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html

It says the default is set to 0, can you verify to see if this was set to 20 (radius-server deadtime)?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Marco Serato
Level 1
Level 1

‎09-14-2012 12:43 AM

Thanks for your answers.

The hotfix does not bring an effect. And the radius-server deadtime = 0.

But I think it can be the right answer for other people.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents