Somebody help!!! J
Everything working just fine but after switch restarts authentication fails.
(cat4500e-ENTSERVICESK9-M), Version 12.2(53)SG2
in ACS can see Authen session timed out: Challenge not provided by client
Switch says : Sep 30 19:06:30 MET-DST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0001.3e01.858a) on Interface Gi9/26
switchport mode access
switchport port-security maximum 3
authentication event fail action authorize vlan 500
authentication event server dead action authorize vlan 500
authentication event no-response action authorize vlan 500
authentication order mab
authentication priority mab
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-req 1
storm-control broadcast level 3.00
spanning-tree bpduguard enable
spanning-tree guard loop
It has to do with Spanning tree protocol on the switch where right after switch reboot, STP is still in process and the switch sends out the Radius-Request but it doesn't reach the Radius Server until STP is run and the correct interfaces start forwarding.
You need to adjust the Radius Timers on the switch.
Please enter the following commands on the switch: radius-server retransmit 6
radius-server timeout 10
This means that the switch will retransmit the radius request every 10 seconds for 6 times before marking the Server as Dead and failing the MAB authentication. These 60 seconds are enough for STP to converge.
I have TAC case in this issue, and they sad the same. i tested this without help (it's helped a lit, but not all interfases got right Vlan.)
and we are using rapid spanning tree so it should be enought 60s but.....
Hi, this problem with MAB is due to the fact that the Radius Server is unreachable for a bit of time right after the switch reboot.
While the switch finishes the reboot, there is STP in process so the Radius Server will be unreachable until STPis finished.
Have a look at CSCtj46641 which has been closed as non-software-defect on switches.
Since MAB is immediate after switchport going up and at the same time radius server is still not available, there is a need to workaround the problem.
Some options to workaround:
1- radius timers increase to accomodate needed time for stp to finish
2- dot1x reauthentication timer
This has been the outcome of the TAC case between me and Andrius.
Hope this helps others facing this issue in the future.