HPE Community
Comware Based
1751861 Members
5659 Online
108782 Solutions
New Discussion

HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

 
Dranet
Visitor

‎06-12-2017 03:06 AM

‎06-12-2017 03:06 AM

HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

Hi.

I have a strange problem with dot1x authentication on my new switch-es HP5900.

There are two switches with IRF, the configuration of the dot1x:

 dot1x
 dot1x authentication-method eap
 dot1x quiet-period

interface GigabitEthernet2/0/27
 port link-mode bridge
 dot1x
 dot1x port-method portbased
 dot1x guest-vlan 25

With Radius configuration.

The computer falls in Guest VLan allways, and in logs I have:

%Jun 11 23:49:49:152 2017 HP5900_DEV_ACCESS DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet2/0/27-MACAddr=d481-d7c6-6c40-VLANId=25-UserName=host/CFMLPCHWS3G2.bre-leasing.com.pl; The user passed 802.1X authentication and got online successfully.

%Jun 11 23:49:49:160 2017 HP5900_DEV_ACCESS DOT1X/6/DOT1X_LOGOFF: -IfName=GigabitEthernet2/0/27-MACAddr=d481-d7c6-6c40-VLANId=25-UserName=host/CFMLPCHWS3G2.bre-leasing.com.pl-ErrCode=14; Session of the 802.1X user was terminated.

 What is it , where there are some problems ?

Thanks

DD

0 Kudos
4 REPLIES 4
Linkk
Frequent Advisor

‎06-12-2017 05:24 AM

‎06-12-2017 05:24 AM

Re: HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

Hi Dranet,

the config seems fine so far. Could you provide us the corresponding log message of the 802.1X server?

 

 

0 Kudos
Dranet
Visitor

‎06-12-2017 06:51 AM

‎06-12-2017 06:51 AM

Re: HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

Hi.

Thanks for the answer.

Here are the logs from Radius serwer:

x.y.110.z,host/LPCHWS3G2.*.com.pl,06/12/2017,01:03:33,IAS,MDC2,6,2,32,HP5900_DEV_ACCESS,5,33665049,61,15,31,D4-81-D7-C6-6C-40,30,D8-94-03-23-49-05,12,1450,87,slot=2;subslot=0;port=27;vlanid=25,4,x.y.110.z,4108,x.y.110.z,4116,0,4128,HP5900_DEV_ACCESS,4154,Use Windows authentication for all users,4155,1,4129,*\LPCHWS3G2$,25,311 1 g.h.100.y 05/18/2017 22:44:58 111416,4130,*.com.pl/Komputery/LPCHWS3G2,4127,5,4149,10.124 BRELDEV LAN,4136,1,4142,0

x.y.110.z,host/LPCHWS3G2.*.com.pl,06/12/2017,01:03:33,IAS,MDC2,25,311 1 g.h.100.y 05/18/2017 22:44:58 111416,27,30,4130,*.com.pl/Komputery/LPCHWS3G2,4149,10.124 BRELDEV LAN,4127,5,4108,x.y.110.z,4116,0,4128,HP5900_DEV_ACCESS,4154,Use Windows authentication for all users,4155,1,4129,*\LPCHWS3G2$,4136,11,4142,0

 

 

0 Kudos
Linkk
Frequent Advisor

‎06-12-2017 07:46 AM - edited ‎06-14-2017 04:07 AM

‎06-12-2017 07:46 AM - edited ‎06-14-2017 04:07 AM

Re: HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

 

I suppose LPCHWS3G2 is the computer authenticating? And the server answers with "vlanid=25" in the first log entry.

Why do you have VLAN 25 configured as guest-vlan? The interface should join VLAN 25 untagged automatically with the 802.1X answer.

 If you don't need the guest VLAN, could you undo it and try to authenticate again?

0 Kudos
Dranet
Visitor

‎06-13-2017 05:32 AM

‎06-13-2017 05:32 AM

Re: HP 5900 problem with dot1x / 802.1x ErrCode=14, Session of the 802.1X user was terminated.

Hi.

OK, we have partial success. After few modifications in configuration, the computers with Windows 10 are passing through authentication, but with Windows 7 not.

The example with authentication:

Slot ID: 2
User MAC address: 6400-6a8b-512b
Access interface: GigabitEthernet2/0/39
Username: host/DVDK6FFXTB2.*.pl
Authentication domain: system
Authentication method: EAP
Initial VLAN: 25
Authorization untagged VLAN: 847
Authorization tagged VLAN list: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Authorization URL:  N/A
Termination action: Default
Session timeout period: N/A
Online from: 2017/06/13 11:37:15
Online duration: 2h 43m 43s

Some logs here:

%Jun 13 13:31:40:102 2017 HP5900_DEV_ACCESS DOT1X/6/DOT1X_LOGIN_SUCC: -Slot=1; -IfName=GigabitEthernet1/0/9-MACAddr=9890-96c6-313d-VLANID=25-Username=host/DVDKCZC1233L9S.*pl; User passed 802.1X authentication and came online.

I'll try to remove Guest VLan nr 25 and let you know.

Thanks.

DD

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.