Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
0
Helpful
4
Replies

MAB doesn't re-authenticate after reboot

Joris Deprouw
Level 1
Level 1

‎04-25-2014 12:08 AM - edited ‎03-07-2019 07:13 PM

Hi all,

We have configured MAB on the access-ports of our switches. When the port is authenticated the switch puts it in vlan 10, otherwise the port goes into vlan 20, the guest vlan.

 

 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 5
 switchport port-security
 switchport port-security violation restrict
 load-interval 30
 authentication event fail action authorize vlan 20
 authentication event server dead action authorize vlan 10
 authentication event no-response action authorize vlan 20
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 3
 dot1x max-req 1
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 storm-control action shutdown
 storm-control action trap
 no cdp enable
 no cdp tlv server-location
 no cdp tlv app
 spanning-tree portfast

 

Everything works fine until the switch reboots. After the switch comes back up, the ports stay in the guest vlan.

 

Only after running the command "clear authentication sessions", the machines behind the ports are re-authenticated.

 

I have tried to configure a event manager applet, but after the reload this doesn't help.

 

event manager applet onboot
 event timer cron cron-entry "@reboot"
 action 1.10 wait 120
 action 2.10 cli command "enable"
 action 2.20 cli command "clear authentication session "
 action 6.10 syslog msg "cleared auth sessions"
!

Is there anything wrong with our port-configuration? And why is the EM applet not working like it should?

 

All suggestions are welcome. 

Thanks,

Best Regards,

Joris

 

 

Labels:
0 Helpful
4 Replies 4

hdussa
Level 1
Level 1

‎04-25-2014 01:53 AM

Hi Joris,

first off all, you should not mix 802.1X and portsecurity.

Remove the lines:

 switchport port-security maximum 5
 switchport port-security
 switchport port-security violation restrict

Reauthentication periodic with MAB does not work. As long as the interface is up the session remains. So why reauthentication?

How long is your timeout for the RADIUS-Server?

The problem is, that if you reboot the switch, the management interface is down while the port are already up. With adjusting the timer you can solve this issue. I think....try and error.

"radius-server timeout xxx"

Hope ist hepls

Horst

 

0 Helpful

Joris Deprouw
Level 1
Level 1
In response to hdussa

‎04-25-2014 03:13 AM

Hello Horst,

 

Thanks for your feedback. I have removed the port-security lines.

The radius-server timeout is set to 10. I'll test some different settings.

I hope I can remove the event manager applet aswell.

Best Regards,

Joris

0 Helpful

Joris Deprouw
Level 1
Level 1
In response to hdussa

‎04-25-2014 04:45 AM

Hello Horst,

 

I tried different settings for the radius-server timeout, but nothing seems to work.

When I reboot the switch the port stays in vlan 20.

When I remove the line "authentication event no-response action authorize vlan 20", the switch puts the port in vlan 1.

After a clear auth sessions, both ports are put in vlan 10.

So my gues is that the issue is related to the radius server no giving any response after a reboot. Are there other parameters I can set to retry the MAB after a reload?

Thanks,

Joris

0 Helpful

hdussa
Level 1
Level 1

‎04-29-2014 12:06 AM

Hi Joris,

 

try this line: authentication event server alive action reinitialize

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card