Switch cannot re-authenticate when Radius server sends terminal session

2025-06-17 15:26:15 Published
  • 0 Followed
  • 0Collected ,33Browsed

Network Topology

Not involved

Problem Description

A customer uses S5008PV5-EI for 802.1X access authentication. After configuration, it is found that the terminal can be authenticated successfully. However, when the customer tries to push the radius CoA Terminal session message to the switch, the switch does not automatically re-authen. And the computer reports authen-fail.

Process Analysis

By capturing the debugging radius all and debugging dot1x all information of the device, it is found that the device prompts the following debugging information error. The debug information shows that the 802.1X authentication was triggered by the receipt of a multicast message, after successful authentication, the EAP Request message was sent twice in succession and no response was received, which led to the offline.

 

*May 22 16:49:20:468 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: PAM_RADIUS: RADIUS accounting stopped.

*May 22 16:49:20:468 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: PAM_RADIUS: Fetched accounting-stop reply-data successfully, resultCode: 0

*May 22 16:49:20:469 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Received accounting-stop response with code 0: UserMAC=H-H-H, Interface=GigabitEthernet1/0/1.

*May 22 16:49:20:470 2025 SW-PGD.LYTHUONGKIET.EXT RADIUS/7/EVENT: Sent reply message successfully.

*May 22 16:49:20:491 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Interface GigabitEthernet1/0/1 received Oper VLAN is effective event.

*May 22 16:49:20:509 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Successfully added a user to guest VLAN 60: UserMAC=0000-0000-0000, Interface=GigabitEthernet1/0/1.

*May 22 16:49:29:701 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: EAP-Request/Identity packet multicasting timed out on GigabitEthernet1/0/1.

*May 22 16:49:29:701 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: Multicasted EAP-Request/Identity packets on interface GigabitEthernet1/0/1.

*May 22 16:47:01:404 2025 SW-PGD.LYTHUONGKIET.EXT DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=H-H-H, VLANID=60, Interface=GigabitEthernet1/0/1.

 

Solution

The problem was solved after the customer disabled the multicast message triggering function and the handshake function.

dot1x multicast-trigger

Use dot1x multicast-trigger to enable the 802.1X multicast trigger feature.

Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature.

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

Default

The 802.1X multicast trigger feature is enabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The multicast trigger feature enables the device to act as the initiator. The device periodically multicasts EAP-Request/Identity packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast EAP-Request/Identity packets.

 

 

dot1x handshake

Use dot1x handshake to enable the online user handshake feature.

Use undo dot1x handshake to disable the online user handshake feature.

Syntax

dot1x handshake

undo dot1x handshake

Default

The online user handshake feature is enabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake period. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

 

Please rate this case:   
0 Comments

No Comments

Add Comments: