Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dot1x re-authenticate & dot1x initialize

Hi,

Im trying dot1x with critical authentication plus MAC authentication bypass,

on Cat2960 with SEE2.

Its onfigration is the following;

aaa new-model

aaa authentication login cisco local

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

dot1x critical eapol

!

interface GigabitEthernet0/11

switchport access vlan 101

switchport mode access

dot1x mac-auth-bypass

dot1x critical

dot1x critical recovery action reinitialize

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

!

radius-server dead-criteria time 5

radius-server attribute 32 include-in-access-req format %h

no radius-server attribute nas-port

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 test username TEST idle-time 1

radius-server source-ports 1645-1646

radius-server key Cisco(%$%

radius-server vsa send accounting

!

When RADIUS server is down after a client is authenticated and the 2 commands,

dot1x re-authenticate int and dot1x initialize int are issued,

it does not change to critical auth state, remaining authorized by server with

dot1x re-authenticate command.

This result is correct?

CCO says,

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/sw8021x.htm#wp1194433

If the port is already authorized and re-authentication occurs, the switch puts

the critical port in the critical-authentication state in the current VLAN,

which might be the one previously assigned by the RADIUS server.

Please give me any help.

Thanks,

2 REPLIES
Anonymous
N/A

Re: dot1x re-authenticate & dot1x initialize

Here is a debug on dot1x re-authenticate;

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0000.3926.0384

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB

Authorized By = Authentication Server

Vlan Policy = N/A

C2960#dot1x re

C2960#dot1x re-authenticate int g0/11

C2960#

Aug 8 00:47:42: dot1x-ev:dot1x_exec_reauth_interface: Reauthenticating Authenticator instances on GigabitEthernet0/11

Aug 8 00:47:42: dot1x-ev:Sending create new context event to EAP for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:No reply attributes received from AAA for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, retaining existing authorization on port GigabitEthernet0/11

Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Host access entry already exists for 0000.3926.0384 101

Aug 8 00:47:43: dot1x-ev:dot1x_switch_addr_add: Added MAC 0000.3926.0384 to vlan 101 on interface GigabitEthernet0/11

Aug 8 00:47:43: dot1x-ev:Received successful Authz complete for 0000.3926.0384

Aug 8 00:47:43: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address

Aug 8 00:47:43: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.

Aug 8 00:47:43: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11

C2960#

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List

-------------------------------

Supplicant = 0000.3926.0384

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB

Authorized By = Authentication Server

Vlan Policy = N/A

C2960#

Anonymous
N/A

Re: dot1x re-authenticate & dot1x initialize

Debug on dot1x initialize;

C2960#dot1x initialize int g0/11

Aug 8 00:50:00: dot1x-ev:dot1x_exec_init_interface: Initializing Authenticator instances on GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:00: dot1x-ev:vlan 101 vp is removed on the interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_switch_addr_remove: Removed MAC 0000.3926.0384 from vlan 101 on interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:dot1x_vlan_assign_client_deleted on interface GigabitEthernet0/11

Aug 8 00:50:00: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

Aug 8 00:50:00: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

Aug 8 00:50:00: dot1x-ev:Created a default authenticator instance on GigabitEthernet0/11

Aug 8 00:50:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down

Aug 8 00:50:01: dot1x-ev:Received an EAP Fail on GigabitEthernet0/11 for mac 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:No reply attributes received from AAA for 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:dot1x_critical_authc_fail: Critical Auth enabled, authenticating port GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:dot1x_switch_critical_vlan_policy: No Critical Auth VLAN defined for

port GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:Updating feature config

Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST

Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:01: dot1x-ev:vlan 101 vp is added on the interface GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi0/11

Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST

Aug 8 00:50:01: dot1x-ev:dot1x_critical_modify_host_mode: Critical Auth feature overriding host_mode on port GigabitEthernet0/11, forcing to DOT1X_MULTI_HOST

Aug 8 00:50:01: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface GigabitEthernet0/11

Aug 8 00:50:01: dot1x-ev:Received successful Authz complete for 0000.0000.0000

Aug 8 00:50:01: dot1x-ev:GigabitEthernet0/11:Sending EAPOL packet to group PAE address

Aug 8 00:50:01: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on GigabitEthernet0/11.

Aug 8 00:50:01: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet0/11

Aug 8 00:50:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up

C2960#

C2960#

C2960#sh dot1x int g0/11 d

Dot1x Info for GigabitEthernet0/11

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 1

MaxReq = 2

TxPeriod = 1

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

Critical-Auth = Enabled

Critical Recovery Action = Reinitialize

Dot1x Authenticator Client List Empty

Port Status = AUTHORIZED

Authorized By = Critical-Auth

Operational HostMode = MULTI_HOST

Vlan Policy = N/A

C2960#

2261
Views
0
Helpful
2
Replies