Network Topology
Topology:
Problem Description
S5130S and the third-party Aruba clearpass are connected to dot1x authentication, and the server side forces users to log off unsuccessfully.
The device has been configured with DAE server related configuration
Process Analysis
At present, users can successfully go online with dot1x authentication, indicating that there is no problem with dot1x configuration and AAA basic configuration.
When forcing a user to go offline fails, capture the third-party clearpass and H3C switch interface packets for analysis.
On the server side, we can see a forced offline message with a port number of 3799
But the packets on the switch side cannot view the packets of port 3799
Check the intermediate network equipment and found that the firewall forbids the port number 3799
Solution
The firewall allows packets with port number 3799.