HPE Community
Switches, Hubs, and Modems
1752784 Members
5648 Online
108789 Solutions
New Discussion юеВ

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

 
SOLVED
Go to solution
Matt Hobbs
Honored Contributor

тАО11-07-2008 05:56 PM

тАО11-07-2008 05:56 PM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Glad to hear it helped. I've seen this particular bug on many other different ProCurve models and it's definitely a bug (you should be able to see it mentioned in the release notes for the 2600).
0 Kudos
Mario Laniel
Advisor

тАО11-10-2008 06:43 AM

тАО11-10-2008 06:43 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Hi Matt,

Is this what you mean:

802.1X Port Lock-Up (PR_0000005372) ├в If the first frame is sent from an all-zeros MAC
address to a broadcast destination address, an 802.1X port will freeze, and AAA will quit
functioning.
0 Kudos
Matt Hobbs
Honored Contributor

тАО11-10-2008 07:48 AM

тАО11-10-2008 07:48 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

It was more similar to this one:

RADIUS (0000001164) ├в The switch drops RADIUS messages with EAP-packets larger
than 1496 bytes.

That was from the 5400 release notes.

0 Kudos
Mario Laniel
Advisor

тАО11-10-2008 07:57 AM

тАО11-10-2008 07:57 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

Thanks Matt,

That looks more like it and it is not in the 2800 release notes, I will let HP know as I opened up a case with them to resolve the issue in the software. It works fine with the workaround you gave me but it should work without that.
0 Kudos
Arran Cudbard-Bell
Advisor

тАО11-14-2008 04:57 AM

тАО11-14-2008 04:57 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

You only really see the Port Lockup with broken NICs (or where the address has been set administratively). Though windows Vista machines occasionally send a couple of packets with a src mac of all 0's as it's bringing the interface up. This can cause temporary port lockups (they will clear when you up/down the interface).

Bug fixes are generally written for one branch then applied to others as customer-demand/severity dictates.

If you contact HP technical support they may be able to give you a pre-release of I with the fix applied.
---

Regarding the earlier post on dynamic Vlans and 802.1X, it's great in theory but if you're working in a multicast environment the lack of IGMP snooping on dynamic VLANs in a real killer.

Additionally you should always set unknown-vlan disable on all edge ports. Else it's possible that a GVRP enabled, authenticated client, could pull down any tagged VLAN they wanted as well as the untagged VLAN they were assigned.
---

As for no bugs existing with 802.1X with H.10.67... that's not strictly true... currently got 6 cases open regarding port-access / GVRP stuff for H branch. But non that would cause the behaviour you're describing.
0 Kudos
chrisbyrd
New Member

тАО03-11-2009 04:23 AM

тАО03-11-2009 04:23 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

We're seeing a similar problem. We've upgraded to H.10.74 firmware, but still seeing the issue.

HP Support suggested this was being caused by bug PR_0000005372 (the 802.1x port lockup with all-zero macs), but this was apparently fixed by H.10.74

We've just deployed 25 Procurve 2650's in our new datacentre and are running mac-based port-access against a RADIUS source for dynamic VLAN allocation. We run hundreds of vlans, and it'd be a nightmare configuring ports individually


This is working great (mostly). However, randomly, we're seeing servers in the DC drop off the network. On investigation, there is no mac visible on the switch port, but there's a physical link up. The port hasn't failed any authentication

Nothing relevant in the switch logs either

The only way to resolve is to disable the port for a few seconds and then re-enable. The MAC is then re-learnt, the port authorised and vlan assigned correctly. Then the server's back online.



For example:

B1-SWITCH# sh version
Image stamp: /sw/code/build/fish(mkfs)
Nov 21 2008 16:34:36
H.10.74
198
Boot Image: Primary



B1-SWITCH# sh port-access mac-based 23

Port Access MAC-Based Status

Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
23 0 0 1


B1-SWITCH# sh mac-address 23

Status and Counters - Port Address Table - 23

MAC Address
-------------


B1-SWITCH# conf t
B1-SWITCH(config)# int 23
B1-SWITCH(eth-23)# disab
B1-SWITCH(eth-23)# enab


B1-SWITCH# sh mac-address 23

Status and Counters - Port Address Table - 23

MAC Address
-------------
0019b9-f7cd0d


B1-SWITCH# sh port-access mac-based 23

Port Access MAC-Based Status

Authenticated Unauthenticated Current
Port Clients Clients VLAN ID
---- ------------- --------------- --------
23 1 0 100


This is now causing us some serious problems


I'm running out of hair to pull out - can anyone help?

0 Kudos
Krzysztof Oledzki
Advisor

тАО03-14-2009 05:03 AM

тАО03-14-2009 05:03 AM

Re: 802.1x doesn't work after formware upgrade 10.43 to 10.67

How about:

aaa port-access mac-based 23 logoff-period 9999999
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.