Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MAB doesn't re-authenticate after reboot

Hi all,

We have configured MAB on the access-ports of our switches. When the port is authenticated the switch puts it in vlan 10, otherwise the port goes into vlan 20, the guest vlan.

 

 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 5
 switchport port-security
 switchport port-security violation restrict
 load-interval 30
 authentication event fail action authorize vlan 20
 authentication event server dead action authorize vlan 10
 authentication event no-response action authorize vlan 20
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 3
 dot1x max-req 1
 storm-control broadcast level 1.00
 storm-control multicast level 1.00
 storm-control action shutdown
 storm-control action trap
 no cdp enable
 no cdp tlv server-location
 no cdp tlv app
 spanning-tree portfast

 

Everything works fine until the switch reboots. After the switch comes back up, the ports stay in the guest vlan.

 

Only after running the command "clear authentication sessions", the machines behind the ports are re-authenticated.

 

I have tried to configure a event manager applet, but after the reload this doesn't help.

 

event manager applet onboot
 event timer cron cron-entry "@reboot"
 action 1.10 wait 120
 action 2.10 cli command "enable"
 action 2.20 cli command "clear authentication session "
 action 6.10 syslog msg "cleared auth sessions"
!

Is there anything wrong with our port-configuration? And why is the EM applet not working like it should?

 

All suggestions are welcome. 

Thanks,

Best Regards,

Joris

 

 

Everyone's tags (1)
4 REPLIES
New Member

Hi Joris,first off all, you

Hi Joris,

first off all, you should not mix 802.1X and portsecurity.

Remove the lines:

 switchport port-security maximum 5
 switchport port-security
 switchport port-security violation restrict

Reauthentication periodic with MAB does not work. As long as the interface is up the session remains. So why reauthentication?

How long is your timeout for the RADIUS-Server?

The problem is, that if you reboot the switch, the management interface is down while the port are already up. With adjusting the timer you can solve this issue. I think....try and error.

"radius-server timeout xxx"

Hope ist hepls

Horst

 

New Member

Hello Horst, Thanks for your

Hello Horst,

 

Thanks for your feedback. I have removed the port-security lines.

The radius-server timeout is set to 10. I'll test some different settings.

I hope I can remove the event manager applet aswell.

Best Regards,

Joris

New Member

Hello Horst, I tried

Hello Horst,

 

I tried different settings for the radius-server timeout, but nothing seems to work.

When I reboot the switch the port stays in vlan 20.

When I remove the line "authentication event no-response action authorize vlan 20", the switch puts the port in vlan 1.

After a clear auth sessions, both ports are put in vlan 10.

So my gues is that the issue is related to the radius server no giving any response after a reboot. Are there other parameters I can set to retry the MAB after a reload?

Thanks,

Joris

New Member

Hi Joris, try this line:

Hi Joris,

 

try this line: authentication event server alive action reinitialize

219
Views
0
Helpful
4
Replies