Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
10
Helpful
2
Replies

3850-48XS - Dot1x - Port not switching to Isolated LAN during reboot

Mike_Adkins
Level 1
Level 1

‎02-12-2016 01:39 PM - edited ‎03-10-2019 01:06 PM

I'm testing out a new 3850-48XS to be used as a closet switch. This network uses dot1x, all closet switches today are 3750's. I've found on the 3850's that the dot1x works as expected when logging in. The port correctly goes from the isolated vlan to the authenticated vlan. These are custom linux workstations that when the user logs off they reboot and reimage. While connected to the 3850 when the machine reboots the port never has a linkdown/link up event. The port stays in the authenticated vlan until the authentication eventually times out then it goes back to the isolated vlan. At that point the machine has already hung up and can't get to it's image server (which resides in the isolated vlan with the hosts).

If I unplug the cable and plug it back in it correctly goes back to the isolated vlan immediately. These workstations are connected to the 3850 via fiber, using GLC-SX-MMD sfp's.

Any ideas would be great!

Mike

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎02-13-2016 02:14 AM

Mike,

I think that the proper solution would be to make sure that these workstations send an EAPOL-Logoff frame before they reboot and start reimaging themselves. This should bring the switch port back to the unauthenticated state.

What kind of 802.1X supplicant are you using on those workstations? I would suppose it is wpasupplicant. That one does not seem to send the EAPOL-Logoff message when terminating.

If you are using NetworkManager to manage the network connections (which in turn uses wpasupplicant for the 802.1X auth operations) then the NetworkManager can be asked from the command line to deactivate a connection using

nmcli connection down <ConnectionName>

(the <ConnectionName> can be found out using by simply running nmcli connection)

This should trigger wpasupplicant to send out EAPOL-Logoff frame.

If you are not using NetworkManager then there is an option of externally requesting wpasupplicant to send the EAPOL-Logoff by using the wpa_cli command, as follows:

wpa_cli logoff

This command has to be run by root, however, so its placement during the workstation shutdown procedure is crucial - it must be run before the wpasupplicant itself is terminated, yet it must be run with root privileges. This makes it somewhat awkward to use.

Perhaps if you described your particular Linux setup in more detail, we would be able to help you more. Be as specific as possible - distribution, GUI, network manager used to manage connections, init system (SysV vs. upstart vs. systemd), ...

Best regards,
Peter

Mike_Adkins
Level 1
Level 1
In response to Peter Paluch

‎02-13-2016 04:39 AM

Thank you Peter, that is some great info. I'm going to share this with the linux developer I work with on Monday and we can dig into it further. I'll report back our results...

Thanks!

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card