02-12-2016 01:39 PM - edited 03-10-2019 01:06 PM
I'm testing out a new 3850-48XS to be used as a closet switch. This network uses dot1x, all closet switches today are 3750's. I've found on the 3850's that the dot1x works as expected when logging in. The port correctly goes from the isolated vlan to the authenticated vlan. These are custom linux workstations that when the user logs off they reboot and reimage. While connected to the 3850 when the machine reboots the port never has a linkdown/link up event. The port stays in the authenticated vlan until the authentication eventually times out then it goes back to the isolated vlan. At that point the machine has already hung up and can't get to it's image server (which resides in the isolated vlan with the hosts).
If I unplug the cable and plug it back in it correctly goes back to the isolated vlan immediately. These workstations are connected to the 3850 via fiber, using GLC-SX-MMD sfp's.
Any ideas would be great!
Mike
02-13-2016 02:14 AM
Mike,
I think that the proper solution would be to make sure that these workstations send an EAPOL-Logoff frame before they reboot and start reimaging themselves. This should bring the switch port back to the unauthenticated state.
What kind of 802.1X supplicant are you using on those workstations? I would suppose it is wpasupplicant. That one does not seem to send the EAPOL-Logoff message when terminating.
If you are using NetworkManager to manage the network connections (which in turn uses wpasupplicant for the 802.1X auth operations) then the NetworkManager can be asked from the command line to deactivate a connection using
nmcli connection down <ConnectionName>
(the <ConnectionName> can be found out using by simply running nmcli connection)
This should trigger wpasupplicant to send out EAPOL-Logoff frame.
If you are not using NetworkManager then there is an option of externally requesting wpasupplicant to send the EAPOL-Logoff by using the wpa_cli command, as follows:
wpa_cli logoff
This command has to be run by root, however, so its placement during the workstation shutdown procedure is crucial - it must be run before the wpasupplicant itself is terminated, yet it must be run with root privileges. This makes it somewhat awkward to use.
Perhaps if you described your particular Linux setup in more detail, we would be able to help you more. Be as specific as possible - distribution, GUI, network manager used to manage connections, init system (SysV vs. upstart vs. systemd), ...
Best regards,
Peter
02-13-2016 04:39 AM
Thank you Peter, that is some great info. I'm going to share this with the linux developer I work with on Monday and we can dig into it further. I'll report back our results...
Thanks!
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide