dot1x re-authenticate & dot1x initialize

admin_2 · ‎08-08-2006

Hi,

Im trying dot1x with critical authentication plus MAC authentication bypass,

on Cat2960 with SEE2.

Its onfigration is the following;

aaa new-model

aaa authentication login cisco local

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

dot1x critical eapol

!

interface GigabitEthernet0/11

switchport access vlan 101

switchport mode access

dot1x mac-auth-bypass

dot1x critical

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

!

radius-server dead-criteria time 5

radius-server attribute 32 include-in-access-req format %h

no radius-server attribute nas-port

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1

radius-server source-ports 1645-1646

radius-server key Cisco(%$%

radius-server vsa send accounting

!

When RADIUS server is down after a client is authenticated and the 2 commands,

dot1x re-authenticate int and dot1x initialize int are issued,

it does not change to critical auth state, remaining authorized by server with

dot1x re-authenticate command.

This result is correct?

CCO says,

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433

If the port is already authorized and re-authentication occurs, the switch puts

the critical port in the critical-authentication state in the current VLAN,

which might be the one previously assigned by the RADIUS server.

Please give me any help.

Thanks,

Report Inappropriate Content · ‎08-08-2006

Here is a debug on dot1x re-authenticate;

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0000.3926.0384

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB

Authorized By = Authentication Server

Vlan Policy = N/A

C2960#dot1x re

C2960#dot1x re-authenticate int g0/11

C2960#

Aug 8 00:47:42: dot1x-ev:dot1x_exec_reauth_interface: Reauthenticating Authenticator instances on GigabitEthernet0/11

Aug 8 00:47:42: dot1x-ev:Sending create new context event to EAP for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:No reply attributes received from AAA for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, retaining existing authorization on port GigabitEthernet0/11

Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0000.3926.0384 101

Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Added MAC 0000.3926.0384 to vlan 101 on interface GigabitEthernet0/11

Aug 8 00:47:43: dot1x-ev:Received successful Authz complete for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address

Aug 8 00:47:43: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.

Aug 8 00:47:43: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11

C2960#

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0000.3926.0384

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB

Authorized By = Authentication Server

Vlan Policy = N/A

C2960#

Report Inappropriate Content · ‎08-08-2006

Debug on dot1x initialize;

C2960#dot1x initialize int g0/11

Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11

Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down

Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for

port GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:Updating feature config

Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST

Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST

Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address

Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.

Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11

Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up

C2960#

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List Empty

Port Status = AUTHORIZED

Authorized By = Critical-Auth

Operational HostMode = MULTI_HOST

Vlan Policy = N/A

C2960#