HPE Community
Comware Based
1820592 Members
1787 Online
109626 Solutions
New Discussion юеВ

802.1X abnormal logoff on 5130 switches

 
Mdir
Established Member

тАО05-18-2021 03:30 AM

тАО05-18-2021 03:30 AM

802.1X abnormal logoff on 5130 switches

We have a problem with authenticated users being disconnected from the network (wired, not wireless), sometimes several times per day. I have searched through this forum and done Google searches, but I have not found anything relevant. Does anyone have any ideas?

The error message says:

%%10DOT1X/6/DOT1X_LOGOFF_ABNORMAL: -Slot=2; -IfName=GigabitEthernet2/0/23-MACAddr=xxxx-yyyy-zzz-VLANID=xxx-Username=host/ouraddomain-ErrCode=15; 802.1X user was logged off abnormally.

When this happens the users have to disconnect the network cable so their client switches to wireless network to get access again.

We use 5130 switches with version 3506P02, and Radius server is ClearPass. No error messages or failed authentications in ClearPass event log or access tracker.

The clients are Dell laptops running Win10, and they authenticate with EAP-TLS using machine certificates.

Switch port config:

interface GigabitEthernet1/0/1
description Client port
port link-type hybrid
port hybrid vlan 1 xxx yyy zzz untagged
stp edged-port
ipv6 nd raguard role host
apply poe-profile index 1
dot1x
undo dot1x handshake
dot1x mandatory-domain ouraddomain
dot1x max-user 5
undo dot1x multicast-trigger
dot1x re-authenticate
dot1x unicast-trigger
dot1x guest-vlan xxx
dot1x auth-fail vlan xxx
dot1x critical vlan xxx
dot1x re-authenticate server-unreachable keep-online
mac-authentication
mac-authentication max-user 5
mac-authentication domain ouraddomain
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication guest-vlan xxx
mac-authentication re-authenticate
#
return

 

0 Kudos
9 REPLIES 9
akg7
HPE Pro

тАО05-18-2021 04:40 AM

тАО05-18-2021 04:40 AM

Re: 802.1X abnormal logoff on 5130 switches

Hello,

Can you please enable debug and collects debug logs and share it with me?

<HPE> debug dot1x all

<HPE> term monitor

<HPE> term logging

<HPE> term debug 

--Try to authenticate , collect data and disable logging.

<HPE> undo debug dot1x all

<HPE> undo term monitor

<HPE> undo term logging

<HPE> undo term debug

Thanks!

 

debug dot1x all
term monitor
term debug

 

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
Mdir
Established Member

тАО05-18-2021 05:04 AM

тАО05-18-2021 05:04 AM

Re: 802.1X abnormal logoff on 5130 switches

One of the commands you gave me seems to be incomplete:

<SWITCH>debug dot1x all
<SWITCH>term monitor
The current terminal is enabled to display logs.
<SWITCH>term logging
                        ^
 % Incomplete command found at '^' position.
<SWITCH>term debug
The current terminal is enabled to display debugging logs.
<SWITCH>

 

I then forced a reauthentication on the client by disabling and enabling the wired network card. There was no debugging output in the terminal window. The logbuffer only had the usual information:

<SWITCH>display logbuffer reverse
Log buffer: Enabled
Max buffer size: 1024
Actual buffer size: 1024
Dropped messages: 0
Overwritten messages: 6318263
Current messages: 1024
%May 18 13:53:02:323 2021 SWITCH DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/1-MACAddr=xxxx-yyyy-zzzz-AccessVLANID=1-AuthorizationVLANID=999-Username=host/hostname.ouraddomain; User passed 802.1X authentication and came online.
%May 18 13:53:01:570 2021 SWITCH IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to up.
%May 18 13:53:01:566 2021 SWITCH IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to up.
%May 18 13:52:33:907 2021 SWITCH IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%May 18 13:52:33:900 2021 SWITCH DOT1X/6/DOT1X_LOGOFF_ABNORMAL: -IfName=GigabitEthernet1/0/1-MACAddr=xxxx-yyyy-zzzz-VLANID=999-Username=host/hostname.ouraddomain-ErrCode=15; 802.1X user was logged off abnormally.
%May 18 13:52:33:893 2021 SWITCH IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to down.

 

 Apologies if I have misunderstood your request, I am not very familiar with Comware switches.

 

0 Kudos
akg7
HPE Pro

тАО05-18-2021 05:53 AM

тАО05-18-2021 05:53 AM

Re: 802.1X abnormal logoff on 5130 switches

Hello,

As we can see from output, physical interface gi 1/0/1 is flapping then 802.1X user was logged off abnormally.

Can you please share below output and also if possible try to swap the interface or cable?

display current-configuration interface GigabitEthernet 1/0/1

display interface GigabitEthernet 1/0/1

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
Mdir
Established Member

тАО05-18-2021 06:17 AM

тАО05-18-2021 06:17 AM

Re: 802.1X abnormal logoff on 5130 switches

The port config is in my initial post. This is happening with all our users, so I doubt if it is a cable problem. 

Interface display:

[SWITCH]display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1
Current state: UP
Line protocol state: UP
IP packet frame type: Ethernet II, hardware address: xxxx-yyyy-zzzz
Description: Client port
Bandwidth: 1000000 kbps
Loopback is not set
Media type is twisted pair
Port hardware type is 1000_BASE_T
1000Mbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Flow-control is not enabled
Maximum frame length: 12288
Allow jumbo frames to pass
Broadcast max-ratio: 100%
Multicast max-ratio: 100%
Unicast max-ratio: 100%
PVID: 999
MDI type: Automdix
Port link-type: Hybrid
 Tagged VLANs:   None
 Untagged VLANs: 1(default vlan), xxx, yyy, zzz
Port priority: 0
Last clearing of counters: Never
 Peak input rate: 12677787 bytes/sec, at 2021-05-14 14:47:13
 Peak output rate: 6994804 bytes/sec, at 2021-05-14 14:10:10
 Last 300 seconds input: 11 packets/sec 2533 bytes/sec 0%
 Last 300 seconds output: 21 packets/sec 8146 bytes/sec 0%
 Input (total):  41144761 packets, 27232202698 bytes
         41043743 unicasts, 12755 broadcasts, 88263 multicasts, 0 pauses
 Input (normal):  41144761 packets, - bytes
         41043743 unicasts, 12755 broadcasts, 88263 multicasts, 0 pauses
 Input:  0 input errors, 0 runts, 0 giants, 0 throttles
         0 CRC, 0 frame, - overruns, 0 aborts
         - ignored, - parity errors
 Output (total): 72232835 packets, 45478653402 bytes
         59666689 unicasts, 8126192 broadcasts, 4439954 multicasts, 0 pauses
 Output (normal): 72232835 packets, - bytes
         59666689 unicasts, 8126192 broadcasts, 4439954 multicasts, 0 pauses
 Output: 0 output errors, - underruns, - buffer failures
         0 aborts, 0 deferred, 0 collisions, 0 late collisions
         0 lost carrier, - no carrier

[SWITCH]
0 Kudos
akg7
HPE Pro

тАО05-18-2021 09:39 PM

тАО05-18-2021 09:39 PM

Re: 802.1X abnormal logoff on 5130 switches

Hello,

Can you configure mac-vlan enable at the interface and check?

[comware] int gi 1/0/1

[comware]mac-vlan enable

[comware] exit

Also share below commands output:

display dot1x connection interface gi 1/0/1

display dot1x interface gi 1/0/1

display mac-authenticaion connection interface gi 1/0/1

display mac-authetication interface gi1/0/1

If issue remains after enabling mac-vlan then turn on debugging and capture output and share with me:

--Log putty session.

<HPE >terminal monitor

<HPE> terminal debugging

<HPE> debugging dot1x all

<HPE> debugging mac-authentication all

capute the output and close debugging

<HPE> undo debugging all

<HPE> undo terminal monitor

Thanks!

 

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
Mdir
Established Member

тАО05-25-2021 04:38 AM

тАО05-25-2021 04:38 AM

Re: 802.1X abnormal logoff on 5130 switches

Sorry for late reply. I will enable mac-vlan on some of the ports and report back the result.

0 Kudos
Mdir
Established Member

тАО05-27-2021 03:36 AM

тАО05-27-2021 03:36 AM

Re: 802.1X abnormal logoff on 5130 switches

Unfortunately 'mac-vlan enable' did not fix the problem. I just had another disconnect on my own client, and accounting in ClearPass says: 

Termination Cause: Port-Error

 

0 Kudos
akg7
HPE Pro

тАО06-24-2021 12:40 AM

тАО06-24-2021 12:40 AM

Re: 802.1X abnormal logoff on 5130 switches

Hello,

 

Apologies for delayed response, could you please share below output:

 

Turn on debugging and capture output and share with me:

--Log putty session.

<HPE >terminal monitor

<HPE> terminal debugging

<HPE> debugging dot1x all

<HPE> debugging mac-authentication all

capute the output and close debugging

<HPE> undo debugging all

<HPE> undo terminal monitor

 

 

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
techin
Valued Contributor

тАО06-27-2021 08:41 AM

тАО06-27-2021 08:41 AM

Re: 802.1X abnormal logoff on 5130 switches

@Mdir 

Were you able to fix the issue

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.