Since 802.1X device are renewing lease every hour

RaphaelL
Kind of a big deal
Kind of a big deal

Since 802.1X device are renewing lease every hour

Hi , 

 

This is a fairly complex issue.  We are running the 14.39 firmware with MX65(W) and MX68. We activated the 802.1X / MAB auth ( hybrid ) and since that activation every device is renewing it's DHCP lease every single hour ( 1 hour 16-18 secs )

 

This is annoying because it is flooding our logs and the lease we are giving to our devices are 24h ( should renew at 12h ) This is affecting all our 2k teleworker.  Devices that are authenticated via MAB do not renew every hour. Cisco IP phones ( multiple models , also do not renew but are reauthing every hour ).

 

In Cisco ISE we don't see anything suspicious and everything is working fine on our MS. MX is a different story. See the logs below :

 

As anyone seen this issue ?

 

8021x_Meraki.png

16 Replies 16
PhilipDAth
Kind of a big deal
Kind of a big deal

I have only done this using Microsoft NPS.  And that is not normal behaviour.

 

You're not using COA or anything like that to re-authorise the device on the ISE side?

Aaron_Wilson
A model citizen

I'm curious how you have .1x auth on a MX68. My MX68W does not have .1x/MAB auth on the ports, neither in 14.x or 15.x firmware....

PhilipDAth
Kind of a big deal
Kind of a big deal

Sorry I didn't read this closely enough.   The MX68 does not support wired dot1x yet. 

ali_abbass85
Getting noticed

802.1x on MX68 will be available in future stable releases, we are testing this in our lab with Beta firmware.
RaphaelL
Kind of a big deal
Kind of a big deal

Thank you , but I'm well aware of the situation of the MX68 , the log below is exactly the same for all our MX65(W) , should have mentioned it. 

CptnCrnch
Kind of a big deal
Kind of a big deal

Sounds like the switch is forcing the MX to reuthenticate every hour, afterwards it will renew its IP. In this case, it‘s more of a switch „issue“.
RaphaelL
Kind of a big deal
Kind of a big deal

There is no switch in the situation  the devices are directly plugged into the MX.   Device -> MX -> ISE.   In that case the MX is the Authenticator. 

CptnCrnch
Kind of a big deal
Kind of a big deal

Sorry, seems I‘ve gotten this wrong. But even then: is there any reauthentication time set on the MX for dot1x / MAB?
RaphaelL
Kind of a big deal
Kind of a big deal

No worries !

 

That is part of the issue , there is 0 settings for MAB / 802.1X on the MX  ( except de radius port and server ) and I can't find any documentation from Meraki. I think I will have to open a support ticket about this one and post the result here.

ali_abbass85
Getting noticed

Hi @RaphaelL 

Kindly post what you get from Support, we are interested in this too.

RaphaelL
Kind of a big deal
Kind of a big deal

This is what I got from support  :

 

After gathering the data and discussing this with our Engineering team we've determined that this is the expected behavior for MX devices using 802.1X based authentication. The current reauthentication timer on the MX is set at 3600s / 1hr, and I've confirmed that unfortunately at this time we are unable to change that value at all, so this is all working as expected in this situation from what we can see.

 

I'm still worried about the DHCP renew at every reauth. I don't think that is a expected behavior...

RaphaelL
Kind of a big deal
Kind of a big deal

Well ,

 

Support was able to reproduce the same issue in their lab. But it is only affecting Windows OS... 

 

"I was able to get a Windows 10 client setup in my lab and in that case I am now seeing the client perform a DHCP Renew every time it reauthenticates via .1x, exactly like we're seeing in your client sites. So in this case it appears that the DHCP transaction after a .1x reauth is expected for Windows 10 clients at least. "

 

Has anyone experienced this issue  ? Anyway to fix it ( parameters in windows or something ) ?

RaphaelL
Kind of a big deal
Kind of a big deal

Hey there , bumping my old thread. 

 

Has anyone got any issues so far with the reauth timer ( 1h ) and their Cisco IP Phones ?

 

Every hour or so we keep having a ' UCM disconnected / is down' sort of message on the phones and it looks to be happening during the reauth.

 

Thanks !

RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Even with MX 14.53 and Win 20H2 we are still seeing Windows PC renewing their lease at every reauth on MX ( only on MX once again ... ) 

 

Has anyone tested with Win11 ? We don't have Win11 devices yet.

 

Thanks , 

Ktparry85
New here

Hi,

 

did this every get reoslved?

 

Thanks

RaphaelL
Kind of a big deal
Kind of a big deal

No. 

 

There is a static re-auth time of 3600s on MXs , when a Windows station does a 802.1X re-auth it goes to the DHCP renewal process. There is nothing to fix here,  just a odd behavior.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels