This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

802.1x clients transition to MAC auth and back again, every hour?

802.1x clients transition to MAC auth and back again, every hour?

Anonymous
Not applicable

ā€Ž06-25-2020 03:47 PM

Hi There,

Hoping someone can help me explain the behaviour below and say either if it is normal or a means to correct it.

It seems that every hour a re-authentication of 802.1x is triggered, that process initially introduces a MAC auth that temporarily hits the default catch all rule that we have yet to flip into a deny rule.

After that it then re-authenticates correctly using EAP-TLS until the next hour?

 

2bd96e42b65345fb8b814ff78508ced5_9780cd70-5406-4c5d-a8ef-a55dad8793eb.png

 

Many thanks in advance

0 Kudos
13 REPLIES 13

Zdeněk_Pala
Extreme Employee

ā€Ž06-29-2020 03:53 PM

Only one session is applied. The default behavior is that MACauth is not applied if 802.1x is applied.

Are you sure there is a macauth authorization applied during the Dot1x reauth?

Regards Zdeněk Pala
0 Kudos

Anonymous
Not applicable

ā€Ž06-25-2020 09:50 PM

Wonder if the answer is in this thread where Zdenek mentions IMHO.

https://community.extremenetworks.com/extrememanagement-230297/802-1x-rejected-then-being-approved-v...

Possibly it is just the end-system going through its steps of re-auth which will include a MAC auth and Iā€™m required to add a rule that will deny it for some reason.

Maybe when the default catch all rule is moved to deny this will help?

Maybe it doesnā€™t matter?

I imagine there would be a slight drop in service at that time as the policy roles shift?

Thanks

0 Kudos

Anonymous
Not applicable

ā€Ž06-25-2020 09:38 PM

Hi Brian,

Thanks for answering.

Yes, it is wired and both MAC and 802.1x are set to re-auth at 3600 seconds, which I expected would explain the 1 hour, and the cycle it goes for that configuration could be natural? 

It doesnā€™t seem efficient or possibly correct switching between authentication methods and temporarily , albeit briefly, move to a catchall rule because of it.

The port has both a PC that is .1x capable and a phone that isnā€™t, hence both.

If that catch all rule was a deny / reject rule Iā€™m not sure what the result would be?

Thanks.

0 Kudos

Brian_Anderson1
Contributor

ā€Ž06-25-2020 07:51 PM

Is this wired?  If so, do you have reauth settings setup on your ports for every hour?

0 Kudos
GTM-P2G8KFN