cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x clients transition to MAC auth and back again, every hour?

802.1x clients transition to MAC auth and back again, every hour?

Anonymous
Not applicable

Hi There,

Hoping someone can help me explain the behaviour below and say either if it is normal or a means to correct it.

It seems that every hour a re-authentication of 802.1x is triggered, that process initially introduces a MAC auth that temporarily hits the default catch all rule that we have yet to flip into a deny rule.

After that it then re-authenticates correctly using EAP-TLS until the next hour?

 

2bd96e42b65345fb8b814ff78508ced5_9780cd70-5406-4c5d-a8ef-a55dad8793eb.png

 

Many thanks in advance

13 REPLIES 13

Anonymous
Not applicable

Great, Thanks Z.

Zdeněk_Pala
Extreme Employee

Hi Martin.

yes, I agree with your statements/summarization.

cheers

Regards Zdeněk Pala

Anonymous
Not applicable

Thanks Z,

So I think I have translated this to being the fact that netlogin is showing both a 802.1x and MAC auth for the same device, with obviously 802.1x is taking precedence.

The re-auth for both auth types is set to 3600 seconds.

The end-system events is probably showing the audit logs of these going through re-authentication for each authentication type, 1 hour apart, there being a 19 minute difference between the two.

Whats probably happening is the time between a MAC re-auth and then a 802.1x re-auth (19 minutes) is showing up in the aduit as a MAC Auth, but the reality is the switch always remains authenticated using 802.1x.

Do you think that sums it up?

Cheers

 

Zdeněk_Pala
Extreme Employee

Hi Martin.

you can see the 802.1X takes the precedence = Session applied : true

OneView → Control → End-Systems: In the top table there should be the “actual state” = you see dot1x authentication, IP, ….

If you select the end-system then in the bottom you see end-system events and Health Results = there you see also not active sessions and “audit” of what happens = IP resolution, hostname detection, re-authentications…

 

 

Regards Zdeněk Pala
GTM-P2G8KFN