This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

802.1x clients transition to MAC auth and back again, every hour?

802.1x clients transition to MAC auth and back again, every hour?

Anonymous
Not applicable

ā€Ž06-25-2020 03:47 PM

Hi There,

Hoping someone can help me explain the behaviour below and say either if it is normal or a means to correct it.

It seems that every hour a re-authentication of 802.1x is triggered, that process initially introduces a MAC auth that temporarily hits the default catch all rule that we have yet to flip into a deny rule.

After that it then re-authenticates correctly using EAP-TLS until the next hour?

 

2bd96e42b65345fb8b814ff78508ced5_9780cd70-5406-4c5d-a8ef-a55dad8793eb.png

 

Many thanks in advance

0 Kudos
13 REPLIES 13

Anonymous
Not applicable

ā€Ž06-30-2020 12:23 PM

Great, Thanks Z.

0 Kudos

Zdeněk_Pala
Extreme Employee

ā€Ž06-30-2020 12:20 PM

Hi Martin.

yes, I agree with your statements/summarization.

cheers

Regards Zdeněk Pala
0 Kudos

Anonymous
Not applicable

ā€Ž06-30-2020 11:54 AM

Thanks Z,

So I think I have translated this to being the fact that netlogin is showing both a 802.1x and MAC auth for the same device, with obviously 802.1x is taking precedence.

The re-auth for both auth types is set to 3600 seconds.

The end-system events is probably showing the audit logs of these going through re-authentication for each authentication type, 1 hour apart, there being a 19 minute difference between the two.

Whats probably happening is the time between a MAC re-auth and then a 802.1x re-auth (19 minutes) is showing up in the aduit as a MAC Auth, but the reality is the switch always remains authenticated using 802.1x.

Do you think that sums it up?

Cheers

 

0 Kudos

Zdeněk_Pala
Extreme Employee

ā€Ž06-29-2020 10:09 PM

Hi Martin.

you can see the 802.1X takes the precedence = Session applied : true

OneView ā†’ Control ā†’ End-Systems: In the top table there should be the ā€œactual stateā€ = you see dot1x authentication, IP, ā€¦.

If you select the end-system then in the bottom you see end-system events and Health Results = there you see also not active sessions and ā€œauditā€ of what happens = IP resolution, hostname detection, re-authenticationsā€¦

 

 

Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN