Comware Based

HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

 
SOLVED
Go to solution
JF7
Advisor

HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

I have an HPE 1950 that I enabled Dot1x on the port and immediately the system authenticated properly, but now every 20 seconds the port loses two ping packets like clockwork. The pings are exactly 20 pings good then 2 bad.

The backend Radius is a ClearPass server that is working for HP ProCurve, HPE Linux (1920S), Cisco 12.2 & 15.1, and ExtremeOS X447. Only the two Comware based HPE 1950s are having this issue.

Below is the Configuration of the Global Radius settings.

 

port-security enable
dot1x authentication-method eap

radius scheme default
 primary authentication 10.0.0.1 key simple replacedwithfakekey
 secondary authentication 10.0.0.2 key simple replacedwithfakekey
 user-name-format without-domain

domain default
 authentication lan-access radius-scheme default
 authorization lan-access radius-scheme default

domain default enable default

 

 Below is the Interface config.

 

port-security port-mode userlogin-secure
dot1x max-user 1
dot1x guest-vlan 1234
dot1x auth-fail vlan 1234
undo dot1x handshake

 

 

Can anybody give any insight?

 

4 REPLIES 4
Emil_G
HPE Pro

Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

Hello, 

dot1x multicast-trigger should be enabled by default on this switch. When it is enabled the switch will multicast EAP Request ID periodically. Probably this triggers a reauthentication of the connected client and thats why the connection is blocked for a short time. Please test if disabling dot1x multicast-trigger will change the behavior.

I am an HPE employee

Accept or Kudo


JF7
Advisor

Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

I tried disabling the Multicast Trigger on all the Dot1x enabled ports with the below command and the port stopped skipping the two pings.

But after a new reauth or the system needed to rauth then the clients stopped being able authenticate. I had to turn it back on to be able to access the port.

 

undo dot1x multicast-trigger

 

So it seems that the above command will not work because Dot1x breaks without it.

Is it a possible timing issue with the multicast trigger?

Emil_G
HPE Pro
Solution

Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

Hi

Could you please test on a port by disabling multicast-trigger and enabling unicast-trigger. If I am not wrong they are independent, that means disabling multicast-trigger doesnt automatically enable unicast-trigger.

WIth multicast-trigger the switch multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. I am not sure if this value is configurable on this switch. This should be the dot1x timer tx-period . It is not mentioned in the manual of 1950. On other switches it can be configured between 10 and 120 seconds.

I am an HPE employee

Accept or Kudo


JF7
Advisor

Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable

Emil_G,

I was working on this yesterday, before you posted this response today. I found when reviewing the configuration from the Web GUI, that the Multicast Trigger was the only one enabled and the Unicast Trigger was disabled. I also found that turning one on or off was independent of the other.

The ultimate fix, which is exactly what you said in your post. I applied the below per-port configuration commands on each port (I used the interface range command to make it quicker).

undo dot1x multicast-trigger
dot1x unicast-trigger

 From that point forward the skipping (loss) of two pings stopped and the ports are staying authenticated even a full day later with some going offline and coming back online, which was an issue yesterday with only Multicast Trigger disabled.

Thank you very much for the response. I think we came to the same conclusion by different paths.