cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x clients transition to MAC auth and back again, every hour?

802.1x clients transition to MAC auth and back again, every hour?

Anonymous
Not applicable

Hi There,

Hoping someone can help me explain the behaviour below and say either if it is normal or a means to correct it.

It seems that every hour a re-authentication of 802.1x is triggered, that process initially introduces a MAC auth that temporarily hits the default catch all rule that we have yet to flip into a deny rule.

After that it then re-authenticates correctly using EAP-TLS until the next hour?

 

2bd96e42b65345fb8b814ff78508ced5_9780cd70-5406-4c5d-a8ef-a55dad8793eb.png

 

Many thanks in advance

13 REPLIES 13

Zdeněk_Pala
Extreme Employee

Only one session is applied. The default behavior is that MACauth is not applied if 802.1x is applied.

Are you sure there is a macauth authorization applied during the Dot1x reauth?

Regards Zdeněk Pala

Anonymous
Not applicable

Wonder if the answer is in this thread where Zdenek mentions IMHO.

https://community.extremenetworks.com/extrememanagement-230297/802-1x-rejected-then-being-approved-v...

Possibly it is just the end-system going through its steps of re-auth which will include a MAC auth and I’m required to add a rule that will deny it for some reason.

Maybe when the default catch all rule is moved to deny this will help?

Maybe it doesn’t matter?

I imagine there would be a slight drop in service at that time as the policy roles shift?

Thanks

Anonymous
Not applicable

Hi Brian,

Thanks for answering.

Yes, it is wired and both MAC and 802.1x are set to re-auth at 3600 seconds, which I expected would explain the 1 hour, and the cycle it goes for that configuration could be natural? 

It doesn’t seem efficient or possibly correct switching between authentication methods and temporarily , albeit briefly, move to a catchall rule because of it.

The port has both a PC that is .1x capable and a phone that isn’t, hence both.

If that catch all rule was a deny / reject rule I’m not sure what the result would be?

Thanks.

Brian_Anderson1
Contributor

Is this wired?  If so, do you have reauth settings setup on your ports for every hour?

GTM-P2G8KFN