how to prevent excessive port authentication attempts

Userlevel 3

is it possible to limit the number of authentication attempts per switch port?
Customer had a buggy device which changed it's MAC address several times per second. They recognised more than 10.000 authentication attempts within one day just from that device.

This excessive authentication session seemed to influence the whole switch, which is a C5G. Also, other devices where not to able to work trouble-free. Especially voice calls suffer from disruptions.

Also the load of the NAC increased and it licenses run out of limit just because this one defective device.

Is there a way / workaround to prevent such incidents?

Furthermore I'd like to raise a feature request: Could you implement a feature to throttle authentication attempts to a configurable number per minute?

I think such an issue could also be used for a DoS attack against a switch an the NAC / RADIUS infrastructure.

Kind regards

3 replies

Userlevel 2
I'm not sure that the switch is what is generating the authentication requests. The authentication requests generally originate from the supplicant, so you might want to check your end systems for misconfiguration or malfunction.

As far as the switch goes, you can configure the interval at which the end systems re-authenticate. Should be something like this:

set dot1x auth-controlled portcontrol reauthperiod [value]

Make sure it's not set to something ridiculously low. The value is measured in seconds and can range from 0 to 655535. Mind you, I'm typing this from memory, and the command syntax may not be 100% correct. Use ? liberally.

If it was me, I'd run a packet capture to figure out exactly what is generating the authentication requests. JMHO.

Good luck.
Userlevel 3
It happens because of a defective client device. Because macauth it enabled the switch starts authentication request every time it recognizes an new mac address. In this case this happens several times per second which leads to a denail of service.
Userlevel 5
Hello Christoph,

Consider mac lock for this item. In addition to forced wait intervals, limiting the number of valid fdb entries(=users) on a port to the first 2 or even the first 10 learned would avoid the described DOS effect.