how to prevent excessive port authentication attempts

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hello,

is it possible to limit the number of authentication attempts per switch port?
Customer had a buggy device which changed it's MAC address several times per second. They recognised more than 10.000 authentication attempts within one day just from that device.

This excessive authentication session seemed to influence the whole switch, which is a C5G. Also, other devices where not to able to work trouble-free. Especially voice calls suffer from disruptions.

Also the load of the NAC increased and it licenses run out of limit just because this one defective device. 

Is there a way / workaround to prevent such incidents?

Furthermore I'd like to raise a feature request: Could you implement a feature to throttle authentication attempts to a configurable number per minute?

I think such an issue could also be used for a DoS attack against a switch an the NAC / RADIUS infrastructure.

Kind regards
Christoph
Photo of Christoph

Christoph

  • 1,812 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Marcus Florido

Marcus Florido

  • 350 Points 250 badge 2x thumb
I'm not sure that the switch is what is generating the authentication requests.  The authentication requests generally originate from the supplicant, so you might want to check your end systems for misconfiguration or malfunction.  

As far as the switch goes, you can configure the interval at which the end systems re-authenticate.  Should be something like this:

set dot1x auth-controlled portcontrol reauthperiod [value]

Make sure it's not set to something ridiculously low.  The value is measured in seconds and can range from 0 to 655535.  Mind you, I'm typing this from memory, and the command syntax may not be 100% correct.  Use ? liberally.

If it was me, I'd run a packet capture to figure out exactly what is generating the authentication requests.  JMHO.

Good luck.
Photo of Christoph

Christoph

  • 1,812 Points 1k badge 2x thumb
It happens because of a defective client device. Because macauth it enabled the switch starts authentication request every time it recognizes an new mac address. In this case this happens several times per second which leads to a denail of service.
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Hello Christoph,

Consider mac lock for this item.  In addition to forced wait intervals, limiting the number of valid fdb entries(=users) on a port to the first 2 or even the first 10 learned would avoid the described DOS effect.  

Regards,
Mike