Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x issue on 2610-48 PoE

Wayne Gillan
Advisor

802.1x issue on 2610-48 PoE

Hi,

 

Hoping someone can help me analyze this log output...

 

Here's my situation.

 

HP Printer using EAP-TLS authentication.

2610 switch with default vlan ID of 1 and unauth vid 13.

Radius server using dynamic vlan assignment

 

relevant config

 

vlan 1

   name "DEFAULT_VLAN"

   untagged 1-52

   ip address x.x.x.x 255.255.0.0

   exit

vlan 13

   name "Unauth"

   tagged 50

   exit

radius-server host x.x.x.x key blah

aaa authentication port-access eap-radius

aaa port-access authenticator 1-48

aaa port-access authenticator 33 client-limit 3

aaa port-access authenticator 33 unauth-vid 13

aaa port-access authenticator active

aaa port-access 33 mixed

 

 

I can see on my radius server that authentication is succesful, but the switch does not set port to authenticated and move to vlan 1. But, if I remove the unauth-vid line from the config then authentication works fine and switch moves port to vlan 1.

 

Here is the debug from the switch

 

1X   Port 33: added new client 001438-883a12.

UMIB added new dca client 001438-883a12 for new client port 33.

UMIB Client Mac 001438-883A12, accessMode 8021x

PSEC added new SA 001438-883a12 to authorized addr list of port 33 for vlan 13.

1X   Port 33: added client 001438-883a12 to VLAN 13.

1X   Port 33: sent ReqId #1 to 001438-883a12.

1X   Port 33: received RspId #1 from 001438-883a12.

1X   Port 33: started authentication session for client 001438-883a12.

1X   Port 33: received EAP identity request for client 001438-883a12.

1X   Port 33: sent EAP response from client 001438-883a12 to authenticaton

   server.

RAD  Received RADIUS MSG: DATA, session: 178866.

RAD  ACCESS REQUEST id: 37 to 160.160.1.230, session: 178866, User-Name:

   Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:

   160.160.1.179.

RAD  ACCESS CHALLENGE id: 37 from 160.160.1.230 received.

1X   Port 33: received EAP request for client  001438-883a12.

1X   Port 33: sent EAP request #2 to 001438-883a12.

1X   Port 33: set supplicant timeout for client 001438-883a12 to 30 sec.

1X   Port 33: received type 13 EAP response #2 from 001438-883a12.

1X   Port 33: sent EAP response from client 001438-883a12 to authenticaton

   server.

RAD  Received RADIUS MSG: DATA, session: 178866.

RAD  ACCESS REQUEST id: 38 to 160.160.1.230, session: 178866, User-Name:

   Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:

   160.160.1.179.

RAD  ACCESS CHALLENGE id: 38 from 160.160.1.230 received.

1X   Port 33: received EAP request for client  001438-883a12.

1X   Port 33: sent EAP request #3 to 001438-883a12.

1X   Port 33: set supplicant timeout for client 001438-883a12 to 30 sec.

1X   Port 33: received type 13 EAP response #3 from 001438-883a12.

1X   Port 33: sent EAP response from client 001438-883a12 to authenticaton

   server.

RAD  Received RADIUS MSG: DATA, session: 178866.

RAD  ACCESS REQUEST id: 39 to 160.160.1.230, session: 178866, User-Name:

   Printers, Calling-Station-Id: 001438-883a12, NAS-Port-Id: 33, NAS-IP-Address:

   160.160.1.179.

RAD  ACCESS ACCEPT id: 39 from 160.160.1.230 received.

1X   Port 33: received Success for client 001438-883a12, finished authentication

   session.

1X   Port: 33 MAC: 001438-883a12 RADIUS Attributes, vid: 1.

PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 13 due

   to age-out.

PSEC added new SA 001438-883a12 to authorized addr list of port 33 for vlan 1.

1X   Port 33: removed client 001438-883a12 from all VLANs.

PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 1.

1X   Port 33: started session for client 001438-883a12.

1X   Port 33: sent Success #3 to 001438-883a12.

1X   Port 33: client 001438-883a12 expired on VLAN 13.

1X   Port 33: removed client 001438-883a12 from all VLANs.

UMIB removed dca client 001438-883a12 for port 33.

1X   Port 33: stopped session for client 001438-883a12, termination code is 7.

1X   Port 33: deleted client 001438-883a12.

RAD  Removing RADIUS REQUEST id: 39 from queue.

 

 

You can see that authentication is succesful, and tries to assign port 33 to vlan 1, but then imediately moves it to vlan 13.

I'm especially interested in this line...

 

PSEC removed 001438-883a12 from authorized addr list of port 33 for vlan 13 due

   to age-out.

 

What does this mean exactly? May this be a bug? I am running the latest version R.11.72. Please help.