topic Re: MAB authentification feils after reboot in Network Access Control

MAB authentification feils after reboot

Andrius Ajauskas — Mon, 11 Mar 2019 00:27:23 GMT

Somebody help!!! J

Everything working just fine but after switch restarts authentication fails.

(cat4500e-ENTSERVICESK9-M), Version 12.2(53)SG2

ACS 4.2

in ACS can see Authen session timed out: Challenge not provided by client

Switch says : Sep 30 19:06:30 MET-DST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0001.3e01.858a) on Interface Gi9/26

interface GigabitEthernet1/1

switchport mode access

switchport port-security maximum 3

authentication event fail action authorize vlan 500

authentication event server dead action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication order mab

authentication priority mab

authentication port-control auto

mab eap

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-req 1

storm-control broadcast level 3.00

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard loop

end

Re: MAB authentification feils after reboot

aneelaka — Fri, 01 Oct 2010 21:35:23 GMT

It has to do with Spanning tree protocol on the switch where right after
switch reboot, STP is still in process and the switch sends out the
Radius-Request but it doesn't reach the Radius Server until STP is run
and the correct interfaces start forwarding.

You need to adjust the Radius Timers on the switch. 
Please enter the following commands on the switch:

radius-server retransmit 6
radius-server timeout 10

This means that the switch will retransmit the radius request every 10
seconds for 6 times before marking the Server as Dead and failing the
MAB authentication. These 60 seconds are enough for STP to converge.

Re: MAB authentification feils after reboot

Andrius Ajauskas — Sat, 02 Oct 2010 10:28:55 GMT

I have TAC case in this issue, and they sad the same. i tested this without help (it's helped a lit, but not all interfases got right Vlan.)

and we are using rapid spanning tree so it should be enought 60s but.....

Re: MAB authentification feils after reboot

Serge Yasmine — Tue, 19 Oct 2010 09:47:30 GMT

Hi, this problem with MAB is due to the fact that the Radius Server is unreachable for a bit of time right after the switch reboot.

While the switch finishes the reboot, there is STP in process so the Radius Server will be unreachable until STPis finished.

Have a look at CSCtj46641 which has been closed as non-software-defect on switches.

Since MAB is immediate after switchport going up and at the same time radius server is still not available, there is a need to workaround the problem.

Some options to workaround:

1- radius timers increase to accomodate needed time for stp to finish

2- dot1x reauthentication timer

This has been the outcome of the TAC case between me and Andrius.

Hope this helps others facing this issue in the future.

Thanks

Serge