Wired 802.1X + MAC authentication fails with ClearPass , windows terminal will trigger dot1x authentication multiple times
- 0 Followed
- 0Collected ,3147Browsed
Network Topology
Topo
Problem Description
ClearPass acts as the RADIUS server. Users perform 802.1X EAP authentication and phones perform MAC authentication. The PC starts with 802.1X authentication, however, the windows terminal will trigger dot1x authentication multiple times
this is the switch port dot1x configuration:
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 1 21
poe enable
dot1x
undo dot1x handshake
dot1x mandatory-domain dot1x-auth
mac-authentication
mac-authentication domain mac-auth
Process Analysis
In the Windows OS, wired network adapter is trying to authenticate, after the domain name, and trying to authenticate, and after the domain name, and again and again. From the dot1x logs:
*Sep 5 09:26:32:298 2023 SW1-H3C-CPD DOT1X/7/EVENT: Notify User Authenticated: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=4.
*Sep 5 09:26:32:299 2023 SW1-H3C-CPD DOT1X/7/EVENT: Sent authorization request: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:32:306 2023 SW1-H3C-CPD DOT1X/7/EVENT: AAA processed authorization request: Result= Success, UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:32:310 2023 SW1-H3C-CPD DOT1X/7/EVENT: Authorization VLAN ID is 1: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:32:320 2023 SW1-H3C-CPD DOT1X/7/EVENT: Deleted unicast-trigger quiet MAC: UserMAC=901b-0eb8-34f9, Interface=4.
*Sep 5 09:26:32:335 2023 SW1-H3C-CPD DOT1X/7/EVENT: Sent accounting-start request: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:32:352 2023 SW1-H3C-CPD DOT1X/7/EVENT: Received accounting-start response with code 0: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:32:372 2023 SW1-H3C-CPD DOT1X/7/EVENT: Interface GigabitEthernet1/0/4 received Set the port authorization status to authorized event.
The interface has been successfully authenticated and the port is in authorized status.But there will be eap log printing again soon.
*Sep 5 09:26:39:026 2023 SW1-H3C-CPD DOT1X/7/EVENT: EAP-Request/Identity packet multicasting timed out on GigabitEthernet1/0/4.
*Sep 5 09:26:39:027 2023 SW1-H3C-CPD DOT1X/7/EVENT: Multicasted EAP-Request/Identity packets on interface GigabitEthernet1/0/4.
*Sep 5 09:26:39:046 2023 SW1-H3C-CPD DOT1X/7/PACKET:
*Sep 5 09:26:46:684 2023 SW1-H3C-CPD DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:684 2023 SW1-H3C-CPD DOT1X/7/EVENT: BE is in Initialize state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:684 2023 SW1-H3C-CPD DOT1X/7/EVENT: PAE is in Restart state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:685 2023 SW1-H3C-CPD DOT1X/7/EVENT: BE is in Idle state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:685 2023 SW1-H3C-CPD DOT1X/7/EVENT: PAE is in Connecting state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:685 2023 SW1-H3C-CPD DOT1X/7/EVENT: PAE is in Authenticating state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:685 2023 SW1-H3C-CPD DOT1X/7/EVENT: BE is in Request state: UserMAC=901b-0eb8-34f9, VLANID=1, Interface=GigabitEthernet1/0/4.
*Sep 5 09:26:46:685 2023 SW1-H3C-CPD
DOT1X/7/EVENT: Sending EAP packet: Identifier=1, type=1.
We noticed that the interface triggered eap authentication again through multicast packets,and it seems the process starts again.
*Sep 5 09:26:39:026 2023 SW1-H3C-CPD DOT1X/7/EVENT: EAP-Request/Identity packet multicasting timed out on GigabitEthernet1/0/4.
Solution
The multicast trigger feature enables the device to act as the initiator. The device periodically multicasts EAP-Request/Identity packets out of a port to detect 802.1X clients and trigger authentication. By default, the 802.1X multicast trigger feature is enabled.
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature.
When using the client that comes with Windows, you need to turn off multicast triggering and online handshake under the interface. Configure as follows :
[SW] undo dot1x multicast-trigger