Reset Search
 

 

Article

After disconnecting a DOT1X authenticated client behind a phone, MAC authentication session stays active in both EXOS and XMC

« Go Back

Information

 
TitleAfter disconnecting a DOT1X authenticated client behind a phone, MAC authentication session stays active in both EXOS and XMC
Symptoms
  • When a dot1x authenticated User/client is disconnected behind the phone, the dot1x session is closed correctly but mac authentication session for that user stays active in both EXOS switch and XMC
X440G2 [1:3] <--- to ---> [LAN PORT] IP PHONE [PC PORT] <--- to ---> CLIENT
Environment
  • EXOS
  • Netlogin
  • Policy
  • XMC - NAC
  • 802.1x & MAC Authentication
Cause
  • EXOS switch sends accounting Start message for MAC Authentication once dot1x authentication is unsuccessful.
  • It's because the link (port 1:3) does not go down once the client is disconnected. The dot1x session stops but as long as the fdb entry for the PC is present on port 1:3 that mac address will stay authenticated.
* Slot-1 Stack.43 # show fdb port 1:3
Mac                     Vlan       Age  Flags           Port / Virtual Port List
--------------------------------------------------------------------------------
00:1a:e8:00:88:04    Default(0001) 0029 nd m     v     1:3
54:ee:75:10:55:f3    Default(0001) 0029 nd m     v     1:3
Logs:
* Slot-1 Stack.54 # show log
11/06/2018 09:59:38.74 <Info:AAA.RADIUS.RecvRspns> Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 82) from accounting server #1 for 54-EE-75-10-55-F3(userName '54EE751055F3') on port 1:3.
11/06/2018 09:59:38.74 <Info:AAA.RADIUS.RecvRspns> Received an Accounting Stop Response (packet length 20, destination UDP port 32769, id 81) from accounting server #1 for 54-EE-75-10-55-F3(userName 'training-ws23\training') on port 1:3.
11/06/2018 09:59:38.74 <Info:AAA.RADIUS.ApiReq> Accounting start for 54-EE-75-10-55-F3(username '54EE751055F3') on port 1:3.
11/06/2018 09:59:38.74 <Info:AAA.RADIUS.ApiReq> Accounting stop for 54-EE-75-10-55-F3(username 'training-ws23\training') on port 1:3
  • Therefore, an active MAC authentication session will be displayed both in EXOS and XMC.
* Slot-1 Stack.52 # show netlogin session
Multiple authentication session entries
---------------------------------------

Port            : 1:3         Station address   : 00:1a:e8:00:88:04             
Auth status     : success     Last attempt      : Tue Nov  6 09:55:08 2018      
Agent type      : mac         Session applied   : true
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 0           Policy name       : No Policy applied
Session timeout : 0           Session duration  : 0:07:29                       
Idle timeout    : 300         Idle time         : 0:00:00                       
Termination time: Not Terminated


Port            : 1:3         Station address   : 54:ee:75:10:55:f3             
Auth status     : success     Last attempt      : Tue Nov  6 09:55:08 2018      
Agent type      : mac         Session applied   : true
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 0           Policy name       : No Policy applied
Session timeout : 0           Session duration  : 0:07:29                       
Idle timeout    : 300         Idle time         : 0:00:00                       
Termination time: Not Terminated

User-added image
 
Resolution
  • It is an expected behaviour in EXOS. 
  • As per EXOS design, policy mode requires accounting to be aware of protocol preference order. So it will send accounting stop if the highest preferred protocol is being unauthenticated and will send accounting start for the next preferred protocol.
  • Therefore, in this scenario, since MAC authentication is also enabled on port 1:3, when dot1x user is unauthenticated, EXOS sends accounting stop message for dot1x and then accounting start message for the next preferred protocol which is MAC for same user.
  • Alternatively, you can disable MAC authentication on that port to avoid this behaviour.
# disable netlogin ports <port no> mac 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255