cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2837
Views
2
Helpful
11
Replies

SG 300-10 802.1x radius authentication slowness

nategeouge
Level 1
Level 1

We have 802.1x authentication via radius and vlan-id tagging with guest vlan fallback working successfully, but we've noticed that no matter what settings we try for the port, it seems that the switch takes about 20 seconds after the port comes up before it sends the authentication request to the radius server.

We tried enabling portfast under stp and when the port is connected, it does immediately come up, and the user is pushed to the guest vlan, and then after about 20 seconds the prompt comes up and credentials can be entered and then it will send the request to the radius server. If the credentials are saved, it still takes the same amount of time before it sends those saved credentials. 

 

I'm curious if this intended behavior, a limitation of hardware, or a setting on the port I'm missing. We tried lowering the various quiet-period, silence-period, etc timeouts, and are still seeing the same results. All tested os's (OSX, Windows 7+8, Ubuntu + Arch nix) experienced the same results.

 

Any advice would be appreciated, thank you!

 

See below for our conf:

net055#show running-config 
config-file-header
net055
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
dot1x guest-vlan timeout 30
vlan database
default-vlan vlan 3333
exit
vlan database
vlan 1,100,102,104,111
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname net055
line console
exec-timeout 30
exit
line ssh
exec-timeout 0
exit
encrypted radius-server host 172.16.200.57 key REMOVED= usage dot1.x
radius-server host source-interface vlan 100
management access-list mlist2
permit ip-source 172.16.202.0 mask 255.255.255.0
permit ip-source 172.16.200.0 mask 255.255.255.0
exit
management access-class mlist2
aaa authentication enable default enable none         
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted REMOVED
no service password-recovery
no passwords complexity enable
passwords aging 0
username REMOVED privilege 15
username REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 https-only
no ip http server
tacacs-server timeout 10
clock timezone EST -5
clock source sntp
sntp unicast client enable
sntp server 172.16.100.95
ip name-server  8.8.4.4
!
interface vlan 100
 ip address 172.16.200.21 255.255.255.0
 no ip address dhcp
!                                                     
interface vlan 102
 name dev-0-Gnv-202.0
!
interface vlan 104
 name gen-0-Gnv-204.0
!
interface vlan 111
 name guest-0-Gnv-10-66-61.0
 dot1x guest-vlan
!
interface gigabitethernet1
 switchport trunk allowed vlan add 100,102,104,111
!
interface gigabitethernet2
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x timeout supp-timeout 5
 dot1x radius-attributes vlan static
 dot1x port-control auto
 spanning-tree portfast
!
interface gigabitethernet3                            
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
!
interface gigabitethernet4
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
!
interface gigabitethernet5
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
 spanning-tree portfast
!
interface gigabitethernet6
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static                  
 dot1x port-control auto
 spanning-tree portfast
!
interface gigabitethernet7
 dot1x guest-vlan enable
 dot1x max-req 10
 dot1x reauthentication
 dot1x timeout quiet-period 5
 dot1x radius-attributes vlan static
 dot1x port-control auto
!
interface gigabitethernet8
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
!
interface gigabitethernet9
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto                              
 spanning-tree portfast
!
interface gigabitethernet10
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
!
exit
ip default-gateway 172.16.200.1

 

11 Replies 11

Nelson Galimba
Cisco Employee
Cisco Employee

This was tested in the latest release 1.4.0.88 and we do not see this issue. 

If you do, please open a case and we would be happy to look into it. 

 

The issues still exists with 1.4.0.88. How do I open a case ? 

1-866-606-1866, follow the prompts for your switch...be prepared to provide them the serial number.

Forgot to follow up here. 

This is a known deficiency of how the SG300 line implements 802.1x vs how all other cisco switches implement it (and how other vendors implement it). The support tech said Cisco was unwilling to fix this deficiency (he would never provide a reason why). 

If you have OSX and 802.1x and dont want it to take >30 seconds for users to get auth'd I would suggest going to another vendor since Cisco has said they will not fix this issue. 

Does this restriction/bug also apply to the SG500 series?

we only have SG300s so im not sure. my guess would be yes ? just a guess tho. 

Colin,

Thank you. I am reviewing the info in the case. I'm setting up my lab to try and mimic your implementation. On your FreeRadius, what do you have the digest set for when using EAP please?

@Max can you email me ? Ill send you all the pcaps showing the issue. Im happy to send you our rad conf too. 

will do. email on it's way.

Do you have a case number or some bug reference that speaks to this "known deficiency" ? I would like to research that please.

SR632635777 ping me if you have any questions. the support person was literally the worst support engineer we have ever interacted with, so maybe there is hope that someone else could help push cisco to address this issue.