Client Auth Question

Started by deanwebb, April 01, 2016, 02:46:05 PM

Previous topic - Next topic

deanwebb

Is it normal for a wireless endpoint (a Win7 box) to complete an 802.1X authentication process roughly once every 20 seconds? I'm seeing that on multiple devices in one of our locations.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV


deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Do all those clients have the same type of NIC? Could be driver-related. If you do a debug client <mac> on the WLC you might see what's causing the re-authentication.

deanwebb

Could be... they are Intel cards. Lucky me, only our outsourcing partner has access to the WLC at this time...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

That's interesting. As someone who is supposed to be doing their CWNA at some stage (pukes again)... who defines the reauth time in 802.1x? Is it up to the specific EAP mechanism? Is it the wild west?

deanwebb

My understanding is that it's supposed to be less frequent than every 20 dang seconds. I know that the re-auth runs in the background on the client and triggers after moving to a new AP or after a certain amount of time on the original AP.

This is not to be confused with the re-auth attempts that fire when the first auth fails. By default, there are two re-auth attempts allowed after a failed auth, each 30 seconds apart. So, if a guy has a crappy card/supplicant/cert, then it's 90 seconds of limbo before 802.1X will release him to another network with a COA. That can be after the DHCP request times out, though, so it takes some tricky work to take care of that on the wired network. On the wireless, DHCP goes on out to the client before the auth, so he's OK.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.