Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x VLAN packet forwarding issue

Nick Ryan
Occasional Visitor

802.1x VLAN packet forwarding issue

I have configured a test environment using 802.1x radius authentication on a Procurve 2650, linked to a win2008 NPS&NAP server.

This mostly works very well and clients are authenticated and put in their correct vlans.

The main problem is that sometimes the client is authenticated, placed in the correct vlan but no packets are forwarded. Once this happens once, it seems to block all the other clients once they reboot too.

This stays the same until the switch is reloaded.

I've tracked it down to being linked to the client mac address. If I change this then the client can then successfully send packets. Once I put it back to the orginal MAC address then it's blocked from sending packets again. It also doesn't matter which 802.1x port the client is plugged into, it's blocked on all. If I plug it into a non 802.1x port on the same switch it can then send packets. Very oddly, if I boot it, see it's blocked then plug it into a different switch and then repatch it back to the orginal blocked port it's fine and can send and receive packets until it's rebooted...

The cause seems to be related to the changing of the vlan as if I make the client change vlans too many times it's then blocked. (I'm changing vlans by making the client non-compliant which puts it in a different vlan - this then auto remediates itself, turns the firewall on and goes back in the correct vlan). It happens to different client pc's too.

I can't see anything obviously wrong. There's nothing blocked in port-security, no intrusion alerts, nothin in the logs. The port that's blocking looks exactly like all the other ones.

The switch is updated to the latest firmware.


What am I missing?


The switch config is below.


The log file looks like this:
I 03/22/10 09:01:05 ports: port 22 is now off-line
I 03/22/10 09:01:08 ports: port 22 is now on-line
I 03/22/10 09:01:41 ports: port 22 is now off-line
I 03/22/10 09:01:43 ports: port 22 is now on-line
---- Bottom of Log : Events Listed = 95 ----

and port access auth looks like this. (vlan 1 is where it should be)

IT-2650# show port-access auth 20-25

Port Access Authenticator Status

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

Current Current
Port Status VLAN ID Port COS
---- ------ -------- -----------
20 Closed 1 No-override
21 Closed 1 No-override
22 Open 1 No-override
23 Closed 1 No-override
24 Closed 1 No-override
25 Closed 1 No-override



Thanks - Nick



IT-2650# show run

Running configuration:

; J4899B Configuration Editor; Created on release #H.10.83

hostname "IT-2650"
snmp-server contact "IT Department"
snmp-server location "IT Wiring Centre"
time daylight-time-rule Western-Europe
no web-management
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
interface 9
no lacp
exit
interface 10
no lacp
exit
interface 11
no lacp
exit
interface 12
no lacp
exit
interface 13
no lacp
exit
interface 14
no lacp
exit
interface 15
no lacp
exit
interface 16
no lacp
exit
interface 17
no lacp
exit
interface 18
no lacp
exit
interface 19
no lacp
exit
interface 20
no lacp
exit
interface 21
no lacp
exit
interface 22
no lacp
exit
interface 23
no lacp
exit
interface 24
no lacp
exit
interface 25
no lacp
exit
interface 26
no lacp
exit
interface 27
no lacp
exit
interface 28
no lacp
exit
interface 29
no lacp
exit
interface 30
no lacp
exit
interface 31
no lacp
exit
interface 32
no lacp
exit
interface 33
no lacp
exit
interface 34
no lacp
exit
interface 35
no lacp
exit
interface 36
no lacp
exit
interface 37
no lacp
exit
interface 38
no lacp
exit
interface 39
no lacp
exit
interface 40
no lacp
exit
interface 41
no lacp
exit
interface 42
no lacp
exit
interface 43
no lacp
exit
interface 44
no lacp
exit
interface 45
no lacp
exit
interface 46
no lacp
exit
interface 47
no lacp
exit
interface 48
no lacp
exit
interface 49
no lacp
exit
interface 50
no lacp
exit
sntp server 172.16.0.100
timesync sntp
sntp unicast
logging 172.16.0.117
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-50
ip address 172.16.1.242 255.255.240.0
exit
vlan 100
name "VoIP_100"
tagged 1-50
exit
vlan 50
name "access_50"
tagged 49
exit
vlan 150
name "SF_150"
tagged 1-50
exit
vlan 23
name "VLAN23"
tagged 1-50
exit
vlan 24
name "VLAN24"
tagged 1-50
exit
vlan 25
name "Restricted"
tagged 1-50
exit
vlan 22
name "Trust22"
tagged 1-50
exit
no stack
aaa authentication port-access eap-radius
aaa authentication ssh enable radius local
radius-server retransmit 5
radius-server host 172.16.0.103 key xxxx
radius-server host 172.16.0.104 key xxxx
port-security 1 learn-mode port-access
port-security 2 learn-mode port-access
port-security 3 learn-mode port-access
port-security 4 learn-mode port-access
port-security 5 learn-mode port-access
port-security 6 learn-mode port-access
port-security 7 learn-mode port-access
port-security 8 learn-mode port-access
port-security 9 learn-mode port-access
port-security 10 learn-mode port-access
port-security 11 learn-mode port-access
port-security 12 learn-mode port-access
port-security 13 learn-mode port-access
port-security 14 learn-mode port-access
port-security 15 learn-mode port-access
port-security 16 learn-mode port-access
port-security 17 learn-mode port-access
port-security 18 learn-mode port-access
port-security 19 learn-mode port-access
port-security 20 learn-mode port-access
port-security 21 learn-mode port-access
port-security 22 learn-mode port-access
port-security 23 learn-mode port-access
port-security 24 learn-mode port-access
port-security 25 learn-mode port-access
port-security 26 learn-mode port-access
port-security 27 learn-mode port-access
port-security 28 learn-mode port-access
banner motd "Only Authorised Administrators should attempt to log onto t
his Switch
"
aaa port-access authenticator 13-28
aaa port-access authenticator 13 reauth-period 3600
aaa port-access authenticator 13 client-limit 1
aaa port-access authenticator 14 reauth-period 3600
aaa port-access authenticator 14 client-limit 1
aaa port-access authenticator 15 reauth-period 3600
aaa port-access authenticator 15 client-limit 1
aaa port-access authenticator 16 reauth-period 3600
aaa port-access authenticator 16 client-limit 1
aaa port-access authenticator 17 reauth-period 3600
aaa port-access authenticator 17 client-limit 1
aaa port-access authenticator 18 reauth-period 3600
aaa port-access authenticator 18 client-limit 1
aaa port-access authenticator 19 reauth-period 3600
aaa port-access authenticator 19 client-limit 1
aaa port-access authenticator 20 reauth-period 3600
aaa port-access authenticator 20 client-limit 1
aaa port-access authenticator 21 reauth-period 3600
aaa port-access authenticator 21 client-limit 1
aaa port-access authenticator 22 reauth-period 3600
aaa port-access authenticator 22 client-limit 1
aaa port-access authenticator 23 reauth-period 3600
aaa port-access authenticator 23 client-limit 1
aaa port-access authenticator 24 reauth-period 3600
aaa port-access authenticator 24 client-limit 1
aaa port-access authenticator 25 reauth-period 3600
aaa port-access authenticator 25 client-limit 1
aaa port-access authenticator 26 reauth-period 3600
aaa port-access authenticator 26 client-limit 1
aaa port-access authenticator 27 reauth-period 3600
aaa port-access authenticator 27 client-limit 1
aaa port-access authenticator 28 reauth-period 3600
aaa port-access authenticator 28 client-limit 1
aaa port-access authenticator active
aaa port-access mac-based 1-12
aaa port-access 13 controlled-direction in
aaa port-access 14 controlled-direction in
aaa port-access 15 controlled-direction in
aaa port-access 16 controlled-direction in
aaa port-access 17 controlled-direction in
aaa port-access 18 controlled-direction in
aaa port-access 19 controlled-direction in
aaa port-access 20 controlled-direction in
aaa port-access 21 controlled-direction in
aaa port-access 22 controlled-direction in
aaa port-access 23 controlled-direction in
aaa port-access 24 controlled-direction in
aaa port-access 25 controlled-direction in
aaa port-access 26 controlled-direction in
aaa port-access 27 controlled-direction in
aaa port-access 28 controlled-direction in
ip ssh
password xxxxxxxxx
password xxxxx