Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2177
Views
19
Helpful
2
Replies

802.1x re-auth is not initiated by switch when timer expires

Go to solution
valinev
Cisco Employee
Cisco Employee

‎02-10-2016 08:08 PM

Hi everyone,

Can you please advise if this is an expected behaviour or something weird is happening?

Customer has 3750  with 15.0(2)SE8. He defines reauth timer via Radius and it works fine if auth order is dot1x + MAB (priority is dot1x + MAB as well). But if he changes order to amore traditional MAB+dot1x (priority is still do1tx+MAB), then after reauth timer expiry he does not see the switch to initiate EAP authentication. And without this EAPOL Identity Request from the switch client does not do any EAP authentication as well and ends up with being authorised via MAB. It looks like a buggy behaviour to me.

1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎02-11-2016 10:42 AM

Hi,

Please take a look at the compatibility guide. 15.0(2) is not a recommended version.  We HIGHLY recommend that you follow the compatibility guide.  Our team (the ISE team) spends tremendous resources testing and making these recommendations.

Cisco Identity Services Engine Network Component Compatibility, Release 2.0 - Cisco

Outside of the compatibility guide, I would recommend you open a TAC Case.

-Aaron

View solution in original post

2 Replies 2

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎02-11-2016 10:42 AM

Hi,

Please take a look at the compatibility guide. 15.0(2) is not a recommended version.  We HIGHLY recommend that you follow the compatibility guide.  Our team (the ISE team) spends tremendous resources testing and making these recommendations.

Cisco Identity Services Engine Network Component Compatibility, Release 2.0 - Cisco

Outside of the compatibility guide, I would recommend you open a TAC Case.

-Aaron

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎02-11-2016 11:25 AM

You're probably missing termination-action-modifier=1 AVPair in your AuthZ profile. This forces the switch to re-authenticate using the same method how the endpoint originally authenticated.

If this is not specified, the switch will go in the order specified by the authentication order command.

This is not that well documented. You can find it at the very bottom of this document: Flexible Authentication Order, Priority, and Failed Authentication - Cisco

Customers Also Viewed These Support Documents