Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

dot1x AAA fail policy and related timers

As per the AAA fail policy or Inaccessible Authentication Bypass, switches will detect AAA server unreachability and allow access to the hosts to critical ports. Cisco documentation says one can configure the 'radius-server dead-criteria' and 'radius-server deadtime' to decide when a RADIUS server is considered unreachable. However, my observation is different.

Timeouts under radius server host configuration takes priority over the dead-criteria. If this is expected, I believe the documentation should be corrected or at the least mention this. If not, I would like to understand how the following timers affect the AAA fail policy functionality. The documentation doesn't seem to be very clear on this.

1) radius server ABC

      timeout t1

      retransmit n1

2) radius-server dead-criteria time t2 tries n2

3) port specific -

dot1x timeout server-timeout t3

For my testing  I used

t1 = 60s, n1 = 5

t2 = 3s, n2 = 3

t3 = 100s

I understand these timers aren't ideal, but just to  understand the effect of each clearly I used slightly wide-ranging timers. With the RADIUS server not reachable all along, from the time first RADIUS Access-Request is sent, it took

- 23s to detect RADIUS being down -  %RADIUS-4-RADIUS_DEAD: RADIUS server 10.240.165.39:1645,1646 is not responding.

- 118s to decide the authentication result

Also, a result of 'timeout'  (see below debugs; where I expected 'server dead' and thereby AAA fail policy being applied) suggests there is someother timer which got reset causing AuthMgr to 'declare' the result. I'm not able to find what that timer is and these timeout values doesn't quite add up.

*Mar  1 00:20:39.844: %SYS-5-CONFIG_I: Configured from console by test on vty0 (149.77.160.208)

*Mar  1 00:20:41.094: dot1x-packet(Fa0/9): queuing an EAPOL pkt on Auth Q

*Mar  1 00:20:41.094: EAPOL pak dump Tx

*Mar  1 00:20:41.094: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 00:20:41.094: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 00:20:41.094: dot1x-packet(Fa0/9): EAPOL packet sent to client 0x46000006 (0000.0000.0000)

*Mar  1 00:20:41.094: dot1x-packet(Fa0/9): Received an EAPOL frame

*Mar  1 00:20:41.102: %AUTHMGR-5-START: Starting 'dot1x' for client (0023.ae71.2d0b) on Interface Fa0/9 AuditSessionID 0AF0A173000000060012F006

*Mar  1 00:20:41.102: EAPOL pak dump Tx

*Mar  1 00:20:41.102: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 00:20:41.102: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 00:20:41.102: dot1x-packet(Fa0/9): EAPOL packet sent to client 0x46000006 (0023.ae71.2d0b)

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAPOL frame

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAP packet

*Mar  1 00:20:41.119: EAPOL pak dump rx

*Mar  1 00:20:41.119: EAPOL Version: 0x1  type: 0x0  length: 0x001F

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAP packet from 0023.ae71.2d0b

*Mar  1 00:20:41.119: RADIUS/ENCODE(00000015):Orig. component type = Dot1X

*Mar  1 00:20:41.119: RADIUS(00000015): Config NAS IP: 0.0.0.0

*Mar  1 00:20:41.119: RADIUS(00000015): Config NAS IPv6: ::

*Mar  1 00:20:41.119: RADIUS/ENCODE: Best Local IP-Address 10.240.161.115 for Radius-Server 10.240.165.39

*Mar  1 00:20:41.119: RADIUS(00000015): Send Access-Request to 10.240.165.39:1645 id 1645/29, len 268

*Mar  1 00:20:41.119: RADIUS(00000015): Sending a IPv4 Radius Packet

*Mar  1 00:20:41.119: RADIUS(00000015): Started 60 sec timeout

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAPOL frame

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAP packet

*Mar  1 00:20:41.119: EAPOL pak dump rx

*Mar  1 00:20:41.119: EAPOL Version: 0x1  type: 0x0  length: 0x001F

*Mar  1 00:20:41.119: dot1x-packet(Fa0/9): Received an EAP packet from 0023.ae71.2d0b

*Mar  1 00:20:41.329: %LINK-3-UPDOWN: Interface FastEthernet0/9, changed state to up

*Mar  1 00:20:42.336: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to up

*Mar  1 00:20:59.113: dot1x-packet(Fa0/9): queuing an EAPOL pkt on Auth Q

*Mar  1 00:20:59.113: dot1x-packet(Fa0/9): Received an EAPOL frame

*Mar  1 00:20:59.113: dot1x-packet(Fa0/9): Received an EAPOL-Start packet

*Mar  1 00:20:59.113: EAPOL pak dump rx

*Mar  1 00:20:59.113: EAPOL Version: 0x1  type: 0x1  length: 0x0000

*Mar  1 00:20:59.121: EAPOL pak dump Tx

*Mar  1 00:20:59.121: EAPOL Version: 0x3  type: 0x0  length: 0x0005

*Mar  1 00:20:59.121: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1

*Mar  1 00:20:59.121: dot1x-packet(Fa0/9): EAPOL packet sent to client 0x46000006 (0023.ae71.2d0b)

*Mar  1 00:20:59.138: dot1x-packet(Fa0/9): Queuing an EAPOL pkt on Authenticator Q

*Mar  1 00:20:59.138: dot1x-packet(Fa0/9): Received an EAPOL frame

*Mar  1 00:20:59.138: dot1x-packet(Fa0/9): Received an EAP packet

*Mar  1 00:20:59.138: EAPOL pak dump rx

*Mar  1 00:20:59.138: EAPOL Version: 0x1  type: 0x0  length: 0x001F

*Mar  1 00:20:59.138: dot1x-packet(Fa0/9): Received an EAP packet from 0023.ae71.2d0b

*Mar  1 00:20:59.138: RADIUS/ENCODE(00000015):Orig. component type = Dot1X

*Mar  1 00:20:59.138: RADIUS(00000015): Config NAS IP: 0.0.0.0

*Mar  1 00:20:59.138: RADIUS(00000015): Config NAS IPv6: ::

*Mar  1 00:20:59.146: RADIUS/ENCODE: Best Local IP-Address 10.240.161.115 for Radius-Server 10.240.165.39

*Mar  1 00:20:59.146: RADIUS(00000015): Send Access-Request to 10.240.165.39:1645 id 1645/30, len 268

*Mar  1 00:20:59.146: RADIUS(00000015): Sending a IPv4 Radius Packet

*Mar  1 00:20:59.146: RADIUS(00000015): Started 60 sec timeout

*Mar  1 00:21:04.414: RADIUS(00000014): Request timed out

*Mar  1 00:21:04.414: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.240.165.39:1645,1646 is not responding.

*Mar  1 00:21:04.414: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.240.165.39:1645,1646 is being marked alive.

*Mar  1 00:21:04.414: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/27

*Mar  1 00:21:04.414: RADIUS(00000014): Started 60 sec timeout

*Mar  1 00:21:19.615: RADIUS(00000014): Request timed out

*Mar  1 00:21:19.615: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/28

*Mar  1 00:21:19.615: RADIUS(00000014): Started 60 sec timeout

*Mar  1 00:21:34.135: RADIUS(00000015): Request timed out

*Mar  1 00:21:34.135: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/29

*Mar  1 00:21:34.135: RADIUS(00000015): Started 60 sec timeout

*Mar  1 00:21:51.911: RADIUS(00000015): Request timed out

*Mar  1 00:21:51.911: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.240.165.39:1645,1646 is not responding.

*Mar  1 00:21:51.911: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.240.165.39:1645,1646 is being marked alive.

*Mar  1 00:21:51.911: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/30

*Mar  1 00:21:51.911: RADIUS(00000015): Started 60 sec timeout

*Mar  1 00:21:58.831: RADIUS(00000014): Request timed out

*Mar  1 00:21:58.831: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/27

*Mar  1 00:21:58.831: RADIUS(00000014): Started 60 sec timeout

*Mar  1 00:22:16.347: RADIUS(00000014): Request timed out

*Mar  1 00:22:16.347: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/28

*Mar  1 00:22:16.347: RADIUS(00000014): Started 60 sec timeout

*Mar  1 00:22:27.227: RADIUS(00000015): Request timed out

*Mar  1 00:22:27.227: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.240.165.39:1645,1646 is not responding.

*Mar  1 00:22:27.227: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.240.165.39:1645,1646 is being marked alive.

*Mar  1 00:22:27.227: RADIUS: Retransmit to (10.240.165.39:1645,1646) for id 1645/29

*Mar  1 00:22:27.227: RADIUS(00000015): Started 60 sec timeout

*Mar  1 00:22:39.139: %DOT1X-5-FAIL: Authentication failed for client (0023.ae71.2d0b) on Interface Fa0/9 AuditSessionID 0AF0A173000000060012F006

*Mar  1 00:22:39.139: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0023.ae71.2d0b) on Interface Fa0/9 AuditSessionID 0AF0A173000000060012F006

*Mar  1 00:22:39.139: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0023.ae71.2d0b) on Interface Fa0/9 AuditSessionID 0AF0A173000000060012F006

*

Thanks,

Vijay

1 REPLY
Community Member

dot1x AAA fail policy and related timers

FWIW, I used c3560-ipbasek9-mz.150-1.SE1.bin for testing

1344
Views
0
Helpful
1
Replies
CreatePlease to create content