Network Topology
Not involved
Problem Description
A customer uses S5008PV5-EI for 802.1X access authentication. After configuration, it is found that the terminal can be authenticated successfully. However, when the customer tries to push the radius CoA Terminal session message to the switch, the switch does not automatically re-authen. And the computer reports authen-fail.
Process Analysis
By capturing the debugging radius all and debugging dot1x all information of the device, it is found that the device prompts the following debugging information error. The debug information shows that the 802.1X authentication was triggered by the receipt of a multicast message, after successful authentication, the EAP Request message was sent twice in succession and no response was received, which led to the offline.
*May 22 16:49:20:468 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped.
*May 22 16:49:20:468 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-stop reply-data successfully, resultCode: 0
*May 22 16:49:20:469 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Received accounting-stop response with code 0: UserMAC=H-H-H, Interface=GigabitEthernet1/0/1.
*May 22 16:49:20:470 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: Sent reply message successfully.
*May 22 16:49:20:491 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Interface GigabitEthernet1/0/1 received Oper VLAN is effective event.
*May 22 16:49:20:509 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Successfully added a user to guest VLAN 60: UserMAC=0000-0000-0000, Interface=GigabitEthernet1/0/1.
*May 22 16:49:29:701 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: EAP-Request/Identity packet multicasting timed out on GigabitEthernet1/0/1.
*May 22 16:49:29:701 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Multicasted EAP-Request/Identity packets on interface GigabitEthernet1/0/1.
…
*May 22 16:47:01:404 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=H-H-H, VLANID=60, Interface=GigabitEthernet1/0/1.
Solution
The problem was solved after the customer disabled the multicast message triggering function and the handshake function.
Use dot1x multicast-trigger to enable the 802.1X multicast trigger feature.
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature.
Syntax
dot1x multicast-trigger
undo dot1x multicast-trigger
Default
The 802.1X multicast trigger feature is enabled.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The multicast trigger feature enables the device to act as the initiator. The device periodically multicasts EAP-Request/Identity packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast EAP-Request/Identity packets.
Use dot1x handshake to enable the online user handshake feature.
Use undo dot1x handshake to disable the online user handshake feature.
Syntax
dot1x handshake
undo dot1x handshake
Default
The online user handshake feature is enabled.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake period. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.