cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Since 802.1X device are renewing lease every hour

Getting noticed

Since 802.1X device are renewing lease every hour

Hi , 

 

This is a fairly complex issue.  We are running the 14.39 firmware with MX65(W) and MX68. We activated the 802.1X / MAB auth ( hybrid ) and since that activation every device is renewing it's DHCP lease every single hour ( 1 hour 16-18 secs )

 

This is annoying because it is flooding our logs and the lease we are giving to our devices are 24h ( should renew at 12h ) This is affecting all our 2k teleworker.  Devices that are authenticated via MAB do not renew every hour. Cisco IP phones ( multiple models , also do not renew but are reauthing every hour ).

 

In Cisco ISE we don't see anything suspicious and everything is working fine on our MS. MX is a different story. See the logs below :

 

As anyone seen this issue ?

 

8021x_Meraki.png

12 REPLIES 12
Kind of a big deal

Re: Since 802.1X device are renewing lease every hour

I have only done this using Microsoft NPS.  And that is not normal behaviour.

 

You're not using COA or anything like that to re-authorise the device on the ISE side?

Building a reputation

Re: Since 802.1X device are renewing lease every hour

I'm curious how you have .1x auth on a MX68. My MX68W does not have .1x/MAB auth on the ports, neither in 14.x or 15.x firmware....

Kind of a big deal

Re: Since 802.1X device are renewing lease every hour

Sorry I didn't read this closely enough.   The MX68 does not support wired dot1x yet. 

Getting noticed

Re: Since 802.1X device are renewing lease every hour

802.1x on MX68 will be available in future stable releases, we are testing this in our lab with Beta firmware.
Getting noticed

Re: Since 802.1X device are renewing lease every hour

Thank you , but I'm well aware of the situation of the MX68 , the log below is exactly the same for all our MX65(W) , should have mentioned it. 

Building a reputation

Re: Since 802.1X device are renewing lease every hour

Sounds like the switch is forcing the MX to reuthenticate every hour, afterwards it will renew its IP. In this case, it‘s more of a switch „issue“.
Getting noticed

Re: Since 802.1X device are renewing lease every hour

There is no switch in the situation  the devices are directly plugged into the MX.   Device -> MX -> ISE.   In that case the MX is the Authenticator. 

Building a reputation

Re: Since 802.1X device are renewing lease every hour

Sorry, seems I‘ve gotten this wrong. But even then: is there any reauthentication time set on the MX for dot1x / MAB?
Getting noticed

Re: Since 802.1X device are renewing lease every hour

No worries !

 

That is part of the issue , there is 0 settings for MAB / 802.1X on the MX  ( except de radius port and server ) and I can't find any documentation from Meraki. I think I will have to open a support ticket about this one and post the result here.

Getting noticed

Re: Since 802.1X device are renewing lease every hour

Hi @RaphaelL 

Kindly post what you get from Support, we are interested in this too.

Getting noticed

Re: Since 802.1X device are renewing lease every hour

This is what I got from support  :

 

After gathering the data and discussing this with our Engineering team we've determined that this is the expected behavior for MX devices using 802.1X based authentication. The current reauthentication timer on the MX is set at 3600s / 1hr, and I've confirmed that unfortunately at this time we are unable to change that value at all, so this is all working as expected in this situation from what we can see.

 

I'm still worried about the DHCP renew at every reauth. I don't think that is a expected behavior...

Getting noticed

Re: Since 802.1X device are renewing lease every hour

Well ,

 

Support was able to reproduce the same issue in their lab. But it is only affecting Windows OS... 

 

"I was able to get a Windows 10 client setup in my lab and in that case I am now seeing the client perform a DHCP Renew every time it reauthenticates via .1x, exactly like we're seeing in your client sites. So in this case it appears that the DHCP transaction after a .1x reauth is expected for Windows 10 clients at least. "

 

Has anyone experienced this issue  ? Anyway to fix it ( parameters in windows or something ) ?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.