Comware Based

802.1X abnormal logoff on 5130 switches

 
Mdir
Frequent Visitor

802.1X abnormal logoff on 5130 switches

We have a problem with authenticated users being disconnected from the network (wired, not wireless), sometimes several times per day. I have searched through this forum and done Google searches, but I have not found anything relevant. Does anyone have any ideas?

The error message says:

%%10DOT1X/6/DOT1X_LOGOFF_ABNORMAL: -Slot=2; -IfName=GigabitEthernet2/0/23-MACAddr=xxxx-yyyy-zzz-VLANID=xxx-Username=host/ouraddomain-ErrCode=15; 802.1X user was logged off abnormally.

When this happens the users have to disconnect the network cable so their client switches to wireless network to get access again.

We use 5130 switches with version 3506P02, and Radius server is ClearPass. No error messages or failed authentications in ClearPass event log or access tracker.

The clients are Dell laptops running Win10, and they authenticate with EAP-TLS using machine certificates.

Switch port config:

interface GigabitEthernet1/0/1
description Client port
port link-type hybrid
port hybrid vlan 1 xxx yyy zzz untagged
stp edged-port
ipv6 nd raguard role host
apply poe-profile index 1
dot1x
undo dot1x handshake
dot1x mandatory-domain ouraddomain
dot1x max-user 5
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x guest-vlan xxx
dot1x auth-fail vlan xxx
dot1x critical vlan xxx
dot1x re-authenticate server-unreachable keep-online
mac-authentication
mac-authentication max-user 5
mac-authentication domain ouraddomain
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication guest-vlan xxx
mac-authentication re-authenticate
#
return

 

7 REPLIES 7
akg7
HPE Pro

Re: 802.1X abnormal logoff on 5130 switches

Hello,

Can you please enable debug and collects debug logs and share it with me?

<HPE> debug dot1x all

<HPE> term monitor

<HPE> term logging

<HPE> term debug 

--Try to authenticate , collect data and disable logging.

<HPE> undo debug dot1x all

<HPE> undo term monitor

<HPE> undo term logging

<HPE> undo term debug

Thanks!

 

debug dot1x all
term monitor
term debug

 

I am an HPE Employee

Accept or Kudo

Mdir
Frequent Visitor

Re: 802.1X abnormal logoff on 5130 switches

One of the commands you gave me seems to be incomplete:

<SWITCH>debug dot1x all
<SWITCH>term monitor
The current terminal is enabled to display logs.
<SWITCH>term logging
                        ^
 % Incomplete command found at '^' position.
<SWITCH>term debug
The current terminal is enabled to display debugging logs.
<SWITCH>

 

I then forced a reauthentication on the client by disabling and enabling the wired network card. There was no debugging output in the terminal window. The logbuffer only had the usual information:

<SWITCH>display logbuffer reverse
Log buffer: Enabled
Max buffer size: 1024
Actual buffer size: 1024
Dropped messages: 0
Overwritten messages: 6318263
Current messages: 1024
%May 18 13:53:02:323 2021 SWITCH DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/1-MACAddr=xxxx-yyyy-zzzz-AccessVLANID=1-AuthorizationVLANID=999-Username=host/hostname.ouraddomain; User passed 802.1X authentication and came online.
%May 18 13:53:01:570 2021 SWITCH IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to up.
%May 18 13:53:01:566 2021 SWITCH IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to up.
%May 18 13:52:33:907 2021 SWITCH IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%May 18 13:52:33:900 2021 SWITCH DOT1X/6/DOT1X_LOGOFF_ABNORMAL: -IfName=GigabitEthernet1/0/1-MACAddr=xxxx-yyyy-zzzz-VLANID=999-Username=host/hostname.ouraddomain-ErrCode=15; 802.1X user was logged off abnormally.
%May 18 13:52:33:893 2021 SWITCH IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to down.

 

 Apologies if I have misunderstood your request, I am not very familiar with Comware switches.

 

akg7
HPE Pro

Re: 802.1X abnormal logoff on 5130 switches

Hello,

As we can see from output, physical interface gi 1/0/1 is flapping then 802.1X user was logged off abnormally.

Can you please share below output and also if possible try to swap the interface or cable?

display current-configuration interface GigabitEthernet 1/0/1

display interface GigabitEthernet 1/0/1

Thanks!

I am an HPE Employee

Accept or Kudo

Mdir
Frequent Visitor

Re: 802.1X abnormal logoff on 5130 switches

The port config is in my initial post. This is happening with all our users, so I doubt if it is a cable problem. 

Interface display:

[SWITCH]display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1
Current state: UP
Line protocol state: UP
IP packet frame type: Ethernet II, hardware address: xxxx-yyyy-zzzz
Description: Client port
Bandwidth: 1000000 kbps
Loopback is not set
Media type is twisted pair
Port hardware type is 1000_BASE_T
1000Mbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled
Maximum frame length: 12288
Allow jumbo frames to pass
Broadcast max-ratio: 100%
Multicast max-ratio: 100%
Unicast max-ratio: 100%
PVID: 999
MDI type: Automdix
Port link-type: Hybrid
 Tagged VLANs:   None
 Untagged VLANs: 1(default vlan), xxx, yyy, zzz
Port priority: 0
Last clearing of counters: Never
 Peak input rate: 12677787 bytes/sec, at 2021-05-14 14:47:13
 Peak output rate: 6994804 bytes/sec, at 2021-05-14 14:10:10
 Last 300 seconds input: 11 packets/sec 2533 bytes/sec 0%
 Last 300 seconds output: 21 packets/sec 8146 bytes/sec 0%
 Input (total):  41144761 packets, 27232202698 bytes
         41043743 unicasts, 12755 broadcasts, 88263 multicasts, 0 pauses
 Input (normal):  41144761 packets, - bytes
         41043743 unicasts, 12755 broadcasts, 88263 multicasts, 0 pauses
 Input:  0 input errors, 0 runts, 0 giants, 0 throttles
         0 CRC, 0 frame, - overruns, 0 aborts
         - ignored, - parity errors
 Output (total): 72232835 packets, 45478653402 bytes
         59666689 unicasts, 8126192 broadcasts, 4439954 multicasts, 0 pauses
 Output (normal): 72232835 packets, - bytes
         59666689 unicasts, 8126192 broadcasts, 4439954 multicasts, 0 pauses
 Output: 0 output errors, - underruns, - buffer failures
         0 aborts, 0 deferred, 0 collisions, 0 late collisions
         0 lost carrier, - no carrier

[SWITCH]
akg7
HPE Pro

Re: 802.1X abnormal logoff on 5130 switches

Hello,

Can you configure mac-vlan enable at the interface and check?

[comware] int gi 1/0/1

[comware]mac-vlan enable

[comware] exit

Also share below commands output:

display dot1x connection interface gi 1/0/1

display dot1x interface gi 1/0/1

display mac-authenticaion connection interface gi 1/0/1

display mac-authetication interface gi1/0/1

If issue remains after enabling mac-vlan then turn on debugging and capture output and share with me:

--Log putty session.

<HPE >terminal monitor

<HPE> terminal debugging

<HPE> debugging dot1x all

<HPE> debugging mac-authentication all

capute the output and close debugging

<HPE> undo debugging all

<HPE> undo terminal monitor

Thanks!

 

I am an HPE Employee

Accept or Kudo

Mdir
Frequent Visitor

Re: 802.1X abnormal logoff on 5130 switches

Sorry for late reply. I will enable mac-vlan on some of the ports and report back the result.

Mdir
Frequent Visitor

Re: 802.1X abnormal logoff on 5130 switches

Unfortunately 'mac-vlan enable' did not fix the problem. I just had another disconnect on my own client, and accounting in ClearPass says: 

Termination Cause: Port-Error