cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1803
Views
0
Helpful
3
Replies

MAB authentification feils after reboot

Somebody help!!! J

Everything working just fine but after switch restarts authentication fails.

(cat4500e-ENTSERVICESK9-M), Version 12.2(53)SG2

ACS 4.2

in ACS  can see   Authen session timed out: Challenge not provided by client

Switch says : Sep 30 19:06:30 MET-DST: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0001.3e01.858a) on Interface Gi9/26

interface GigabitEthernet1/1

switchport mode access

switchport port-security maximum 3

authentication event fail action authorize vlan 500

authentication event server dead action authorize vlan 500

authentication event no-response action authorize vlan 500

authentication order mab

authentication priority mab

authentication port-control auto

mab eap

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-req 1

storm-control broadcast level 3.00

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard loop

end

3 Replies 3

aneelaka
Level 1
Level 1
It has to do with Spanning tree protocol on the switch where right after
switch reboot, STP is still in process and the switch sends out the
Radius-Request but it doesn't reach the Radius Server until STP is run
and the correct interfaces start forwarding.

You need to adjust the Radius Timers on the switch.
Please enter the following commands on the switch: radius-server retransmit 6
radius-server timeout 10

This means that the switch will retransmit the radius request every 10 seconds for 6 times before marking the Server as Dead and failing the MAB authentication. These 60 seconds are enough for STP to converge.

I have TAC case in this issue, and they sad the same. i tested this without help (it's helped a lit, but not all interfases got right Vlan.)

and we are using rapid spanning tree so it should be enought 60s but.....

Hi, this problem with MAB is due to the fact that the Radius Server is unreachable for a bit of time right after the switch reboot.

While the switch finishes the reboot, there is STP in process so the Radius Server will be unreachable until STPis finished.

Have a look at CSCtj46641 which has been closed as non-software-defect on switches.

Since MAB is immediate after switchport going up and at the same time radius server is still not available, there is a need to workaround the problem.

Some options to workaround:

1- radius timers increase to accomodate needed time for stp to finish

2- dot1x reauthentication timer

This has been the outcome of the TAC case between me and Andrius.

Hope this helps others facing this issue in the future.

Thanks

Serge

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: