This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

how to prevent excessive port authentication attempts

how to prevent excessive port authentication attempts

Christoph
Contributor

ā€Ž08-14-2015 07:22 AM

Hello,

is it possible to limit the number of authentication attempts per switch port?
Customer had a buggy device which changed it's MAC address several times per second. They recognised more than 10.000 authentication attempts within one day just from that device.

This excessive authentication session seemed to influence the whole switch, which is a C5G. Also, other devices where not to able to work trouble-free. Especially voice calls suffer from disruptions.

Also the load of the NAC increased and it licenses run out of limit just because this one defective device.

Is there a way / workaround to prevent such incidents?

Furthermore I'd like to raise a feature request: Could you implement a feature to throttle authentication attempts to a configurable number per minute?

I think such an issue could also be used for a DoS attack against a switch an the NAC / RADIUS infrastructure.

Kind regards
Christoph

0 Kudos
3 REPLIES 3

Mike_D
Extreme Employee

ā€Ž08-20-2015 03:18 PM


Hello Christoph,

Consider mac lock for this item. In addition to forced wait intervals, limiting the number of valid fdb entries(=users) on a port to the first 2 or even the first 10 learned would avoid the described DOS effect.

Regards,
Mike

0 Kudos

Christoph
Contributor

ā€Ž08-15-2015 06:11 AM

It happens because of a defective client device. Because macauth it enabled the switch starts authentication request every time it recognizes an new mac address. In this case this happens several times per second which leads to a denail of service.
0 Kudos

Marcus_Florido
New Contributor

ā€Ž08-15-2015 01:08 AM

I'm not sure that the switch is what is generating the authentication requests. The authentication requests generally originate from the supplicant, so you might want to check your end systems for misconfiguration or malfunction.

As far as the switch goes, you can configure the interval at which the end systems re-authenticate. Should be something like this:

set dot1x auth-controlled portcontrol reauthperiod [value]

Make sure it's not set to something ridiculously low. The value is measured in seconds and can range from 0 to 655535. Mind you, I'm typing this from memory, and the command syntax may not be 100% correct. Use ? liberally.

If it was me, I'd run a packet capture to figure out exactly what is generating the authentication requests. JMHO.

Good luck.
0 Kudos
GTM-P2G8KFN