- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- 802.1x issue on 2610-48 PoE
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2012 05:09 PM
03-01-2012 05:09 PM
802.1x issue on 2610-48 PoE
Hi,
Hoping someone can help me analyze this log output...
Here's my situation.
HP Printer using EAP-TLS authentication.
2610 switch with default vlan ID of 1 and unauth vid 13.
Radius server using dynamic vlan assignment
relevant config
vlan 1
name "DEFAULT_VLAN"
untagged 1-52
ip address x.x.x.x 255.255.0.0
exit
vlan 13
name "Unauth"
tagged 50
exit
radius-server host x.x.x.x key blah
aaa authentication port-access eap-radius
aaa port-access authenticator 1-48
aaa port-access authenticator 33 client-limit 3
aaa port-access authenticator 33 unauth-vid 13
aaa port-access authenticator active
aaa port-access 33 mixed
I can see on my radius server that authentication is succesful, but the switch does not set port to authenticated and move to vlan 1. But, if I remove the unauth-vid line from the config then authentication works fine and switch moves port to vlan 1.
Here is the debug from the switch
1X Port 33: added new client 001438-883a12.
UMIB added new dca client 001438-883a12 for new client port 33.
UMIB Client Mac 001438-883A12, accessMode 8021x
PSEC added new SA 001438-883a12 to authorized addr list of port 33 for vlan 13.
1X Port 33: added client 001438-883a12 to VLAN 13.
1X Port 33: sent ReqId #1 to 001438-883a12.
1X Port 33: received RspId #1 from 001438-883a12.
1X Port 33: started authentication session for client 001438-883a12.
1X Port 33: received EAP identity request for client 001438-883a12.
1X Port 33: sent EAP response from client 001438-883a12 to authenticaton
server.
RAD Received RADIUS MSG: DATA, session: 178866.
RAD ACCESS REQUEST id: 37 to 160.160.1.230, session: 178866, User-Name:
Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:
160.160.1.179.
RAD ACCESS CHALLENGE id: 37 from 160.160.1.230 received.
1X Port 33: received EAP request for client 001438-883a12.
1X Port 33: sent EAP request #2 to 001438-883a12.
1X Port 33: set supplicant timeout for client 001438-883a12 to 30 sec.
1X Port 33: received type 13 EAP response #2 from 001438-883a12.
1X Port 33: sent EAP response from client 001438-883a12 to authenticaton
server.
RAD Received RADIUS MSG: DATA, session: 178866.
RAD ACCESS REQUEST id: 38 to 160.160.1.230, session: 178866, User-Name:
Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:
160.160.1.179.
RAD ACCESS CHALLENGE id: 38 from 160.160.1.230 received.
1X Port 33: received EAP request for client 001438-883a12.
1X Port 33: sent EAP request #3 to 001438-883a12.
1X Port 33: set supplicant timeout for client 001438-883a12 to 30 sec.
1X Port 33: received type 13 EAP response #3 from 001438-883a12.
1X Port 33: sent EAP response from client 001438-883a12 to authenticaton
server.
RAD Received RADIUS MSG: DATA, session: 178866.
RAD ACCESS REQUEST id: 39 to 160.160.1.230, session: 178866, User-Name:
Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:
160.160.1.179.
RAD ACCESS ACCEPT id: 39 from 160.160.1.230 received.
1X Port 33: received Success for client 001438-883a12, finished authentication
session.
1X Port: 33 MAC: 001438-883a12 RADIUS Attributes, vid: 1.
PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 13 due
to age-out.
PSEC added new SA 001438-883a12 to authorized addr list of port 33 for vlan 1.
1X Port 33: removed client 001438-883a12 from all VLANs.
PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 1.
1X Port 33: started session for client 001438-883a12.
1X Port 33: sent Success #3 to 001438-883a12.
1X Port 33: client 001438-883a12 expired on VLAN 13.
1X Port 33: removed client 001438-883a12 from all VLANs.
UMIB removed dca client 001438-883a12 for port 33.
1X Port 33: stopped session for client 001438-883a12, termination code is 7.
1X Port 33: deleted client 001438-883a12.
RAD Removing RADIUS REQUEST id: 39 from queue.
You can see that authentication is succesful, and tries to assign port 33 to vlan 1, but then imediately moves it to vlan 13.
I'm especially interested in this line...
PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 13 due
to age-out.
What does this mean exactly? May this be a bug? I am running the latest version R.11.72. Please help.