802.1x using MAB is working until you reboot the switch. After shut/no shut or re-auth is required to get MAB working.
Cause / Problem Description
Race condition for radius server communication task and eap task (MAB).
Conditions / Environment
802.1x using MAB
Seems to be common known issue (race condition).
There is a bug id CSCtj46641 which is J-Status pointing to CSCsu90538 .
Resolution
Suggest some test to customer and potential workaround to test.
1. Either adjust the config from a networking perspective (e.g. no spanning-tree) to ensure the RADIUS connection is up asap.
If we configure: 'no spanning-tree vlan x' then this issue should no longer seen.
This maybe still not working as we still relay on short time.
------------------------------------------------------------------------------------------
2. Adjust the mab config so that it either re-tries to authenticate periodically or else re-initialises when the server comes back.
The former can be done with the following config:
authentication timer restart 60
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
This is not a good choice since we would have very short authentication periode in a life system
------------------------------------------------------------------------------------------
3. Create system-startup kron job which is run once at system startup.
This is not possible since running again and again
Create a policy-list which clears all authentication sessions (manual re-auth)
kron occurrence autostart in 2 recurring system-startup
policy-list force-reauth
!
kron policy-list force-reauth
cli clear authentication session
!
This will clear all sessions every 2 minutes after the system is up and again and again.
Not what we like to have. Option 3 is not an option.
------------------------------------------------------------------------------------------
4. This is the configuration solution work around
event manager applet onboot
event timer cron cron-entry "@reboot"
action 1.10 wait 20
action 2.10 cli command "enable"
action 2.20 cli command “clear authentication session "
action 6.10 syslog msg "cleared auth sessions"
This is the solution!
------------------------------------------------------------------------------------------