802.1x router loses ARP entry

ZbigniewJ · ‎07-17-2012

Firs of all, Hello All. In new to this community.

A have a strange problem i want to share with you. Possibly a bug but maybe it is me who does something wrong.

My network looks like this:

[RADIUS] --- [C881] --- [SG200 Switch] ---[WinXP]

One of SG200 interfaces is set as a Supplicant ant it authenticates in RADIUS (FreeRADIUS) server via C881 router. WinXP and other PC clients authenticate in RADIUS via SG200.

Now: Authentication works perfectly. Ports open as they're supposed to. I'm able to reach RADIUS from SG200 and vice versa but there is a problem with WinXP. When i connect it to SG200 it authenticates, port opens and I'm able to reach RADIUS or any host on the left hand side but only for 300 seconds. After that period of time C881 looses WinXP from its ARP table and any communication fails. I cant even reach C881's interface facing SG200. Then i type:

c881(config-if)#dot1x port-control force-authorized

C881 learns WinXP's MAC and IP again and all gets back to normal. When I type

c881(config-if)#dot1x port-control auto

after 300 seconds C881 forgets WinXP again and communication brakes down.

How is it possible that a router forgets MAC of host its continuously "talking" with?

Have you ever seen this kind of behaviour? I tried with two other software revisions on C881 and resoult is always the same. Bug or feature?

Tarik Admani · ‎07-17-2012

Hi,

Are you sending the session-attribute from the free radius server? Do you have any debugs or a packet capture of the radius traffic, so we can rule this out of the equation. What happens if the client is plugged direcly into the switch port of the 881 do you see the same behavior?

Thanks,

Tarik Admani
*Please rate helpful posts*

ZbigniewJ · ‎07-18-2012

Hi.

Are you sending the session-attribute from the free radius server?

To be honest im not sure what you mean, but i have strong suspicion that my problem has nothing with freeradius.

Host authentication works perfectly. When i connect WinXP directly to routers switch ports everything works fine. Either the switch itself has a connection to the router all the time - even when WinXP and C881 dont see each other.

Furthermore - All ports are authenticated and open all the time, its' state doesn't change. Reauthentiction is turned off.

When the problem occurs i see no traffic to radius server. hre is how it looks:

When i connect WinXP to the switch it works at the begining.

I check ARP table on the router - WinXP is there.

I periodically check ARP table and after ap. 300 seconds (default arp entry timeout) WinXP disappears and communication brakes down.

Additionally when i change ARP timeout value to shorter or longer communication breaks earlier or later respectivly

Tarik Admani · ‎07-18-2012

If you disable the dot1x authentication on the port of the sg200 do you see the same issue? Also did this occur when you turned dot1x on?

Can you post the port configuration of the router that the sg200 is connected to?

Tarik Admani
*Please rate helpful posts*

drlechowicz · ‎09-26-2012

Did you ever find a cause or a solution to this? I am having the same issues.

Dirk

ZbigniewJ · ‎09-26-2012

Unfortunately i did not

It's a really nasty... bug, i suppose.