- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- HPE 1950 Port Skips Every 20 Seconds after Dot1x E...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2021 12:50 PM - edited тАО02-22-2021 12:52 PM
тАО02-22-2021 12:50 PM - edited тАО02-22-2021 12:52 PM
I have an HPE 1950 that I enabled Dot1x on the port and immediately the system authenticated properly, but now every 20 seconds the port loses two ping packets like clockwork. The pings are exactly 20 pings good then 2 bad.
The backend Radius is a ClearPass server that is working for HP ProCurve, HPE Linux (1920S), Cisco 12.2 & 15.1, and ExtremeOS X447. Only the two Comware based HPE 1950s are having this issue.
Below is the Configuration of the Global Radius settings.
port-security enable
dot1x authentication-method eap
radius scheme default
primary authentication 10.0.0.1 key simple replacedwithfakekey
secondary authentication 10.0.0.2 key simple replacedwithfakekey
user-name-format without-domain
domain default
authentication lan-access radius-scheme default
authorization lan-access radius-scheme default
domain default enable default
Below is the Interface config.
port-security port-mode userlogin-secure
dot1x max-user 1
dot1x guest-vlan 1234
dot1x auth-fail vlan 1234
undo dot1x handshake
Can anybody give any insight?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2021 10:56 PM
тАО02-22-2021 10:56 PM
Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable
Hello,
dot1x multicast-trigger should be enabled by default on this switch. When it is enabled the switch will multicast EAP Request ID periodically. Probably this triggers a reauthentication of the connected client and thats why the connection is blocked for a short time. Please test if disabling dot1x multicast-trigger will change the behavior.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2021 08:16 AM - edited тАО02-23-2021 01:29 PM
тАО02-23-2021 08:16 AM - edited тАО02-23-2021 01:29 PM
Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable
I tried disabling the Multicast Trigger on all the Dot1x enabled ports with the below command and the port stopped skipping the two pings.
But after a new reauth or the system needed to rauth then the clients stopped being able authenticate. I had to turn it back on to be able to access the port.
undo dot1x multicast-trigger
So it seems that the above command will not work because Dot1x breaks without it.
Is it a possible timing issue with the multicast trigger?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2021 01:29 AM
тАО02-24-2021 01:29 AM
SolutionHi
Could you please test on a port by disabling multicast-trigger and enabling unicast-trigger. If I am not wrong they are independent, that means disabling multicast-trigger doesnt automatically enable unicast-trigger.
WIth multicast-trigger the switch multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. I am not sure if this value is configurable on this switch. This should be the dot1x timer tx-period . It is not mentioned in the manual of 1950. On other switches it can be configured between 10 and 120 seconds.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2021 05:52 AM
тАО02-24-2021 05:52 AM
Re: HPE 1950 Port Skips Every 20 Seconds after Dot1x Enable
Emil_G,
I was working on this yesterday, before you posted this response today. I found when reviewing the configuration from the Web GUI, that the Multicast Trigger was the only one enabled and the Unicast Trigger was disabled. I also found that turning one on or off was independent of the other.
The ultimate fix, which is exactly what you said in your post. I applied the below per-port configuration commands on each port (I used the interface range command to make it quicker).
undo dot1x multicast-trigger
dot1x unicast-trigger
From that point forward the skipping (loss) of two pings stopped and the ports are staying authenticated even a full day later with some going offline and coming back online, which was an issue yesterday with only Multicast Trigger disabled.
Thank you very much for the response. I think we came to the same conclusion by different paths.