cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1575
Views
1
Helpful
0
Comments
Roger Nobel
Cisco Employee
Cisco Employee

Symptoms

802.1x using MAB is working until you reboot the switch. After shut/no shut or re-auth is required to get MAB working.
 

Cause / Problem Description

Race condition for radius server communication task and eap task (MAB).


Conditions / Environment

802.1x using MAB

 

Seems to be common known issue (race condition).
There is a bug id CSCtj46641 which is J-Status pointing to CSCsu90538 .

 

Resolution

Suggest some test to customer and potential workaround to test.

1. Either adjust the config from a networking perspective (e.g. no spanning-tree) to ensure the RADIUS connection is up asap.

If we configure: 'no spanning-tree vlan x' then this issue should no longer seen.

 

This maybe still not working as we still relay on short time.

--------------------------------------------------​----------------------------------------

2. Adjust the mab config so that it either re-tries to authenticate periodically or else re-initialises when the server comes back.

The former can be done with the following config:

authentication timer restart 60
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize

 

This is not a good choice since we would have very short authentication periode in a life system

--------------------------------------------------​----------------------------------------

 

3. Create system-startup kron job which is run once at system startup.

 

This is not possible since running again and again

Create a policy-list which clears all authentication sessions (manual re-auth)

kron occurrence autostart in 2 recurring system-startup
policy-list force-reauth
!
kron policy-list force-reauth
cli clear authentication session
!

This will clear all sessions every 2 minutes after the system is up and again and again.

Not what we like to have. Option 3 is not an option.

--------------------------------------------------​----------------------------------------

 

4. This is the configuration solution work around


event manager applet onboot

event timer cron cron-entry "@reboot"

action 1.10 wait 20

action 2.10 cli command "enable"

action 2.20 cli command “clear authentication session "

action 6.10 syslog msg "cleared auth sessions"


This is the solution!

--------------------------------------------------​----------------------------------------

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: