01-01-2020 09:25 AM
I'm working on configuring RADIUS authentication on our network and have run into an issue where, after successfully getting authorized on a port, the supplicant drops about 2 seconds worth of packets every 30 seconds or so.
I have the following debug logging enabled to troubleshoot:
Radius protocol debugging is on Radius protocol verbose debugging is on Radius packet protocol (authentication) debugging is on Radius packet retransmission debugging is on Auth Manager: Auth Manager errors debugging is on Auth Manager events debugging is on Auth Manager detailed debugs debugging is on Auth Manager sync debugging is on Policy Manager: Policy Manager Actions debugging is on
During the brief outages, no messages are logged from any of these services.
general config commands for dot1x:
ip radius source-interface Vlan200 aaa authentication dot1x default group radius aaa authorization network default group radius local dot1x system-auth-control dot1x logging verbose identity profile default service-template webauth-global-inactive inactivity-timer 3600 service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE service-template DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlan service-template guest-vlan description < This service template gets applied to an interface when a client fails to authenticate via dot1x or mab > vlan 64 interface-template guest-vlan-interface-template class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST match result-type aaa-timeout match authorization-status authorized ! class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST match result-type aaa-timeout match authorization-status unauthorized ! class-map type control subscriber match-all DOT1X match method dot1x ! class-map type control subscriber match-all DOT1X_FAILED match method dot1x match result-type method dot1x authoritative ! class-map type control subscriber match-all DOT1X_MEDIUM_PRIO match authorizing-method-priority gt 20 ! class-map type control subscriber match-all DOT1X_NO_RESP match method dot1x match result-type method dot1x agent-not-found ! class-map type control subscriber match-all DOT1X_TIMEOUT match method dot1x match result-type method dot1x method-timeout ! class-map type control subscriber match-all MAB match method mab ! class-map type control subscriber match-all MAB_FAILED match method mab match result-type method mab authoritative policy-map type control subscriber CPS_POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authentication-failure match-first 10 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 20 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template guest-vlan 30 authorize 30 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 10 template guest-vlan-interface-template switchport access vlan 64 switchport mode access spanning-tree portfast spanning-tree bpduguard enable
interface GigabitEthernet1/0/1 switchport mode access access-session host-mode multi-host access-session port-control auto dot1x pae authenticator spanning-tree portfast spanning-tree bpduguard enable service-policy type control subscriber CPS_POLICY
#sho access-session Interface MAC Address Method Domain Status Fg Session ID Gi1/0/1 1860.2484.8868 dot1x DATA Auth 0A0BC8640000102666D05C80 Session count = 1 Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker
Is there anything anyone can see wrong with this configuration that would be the cause of the packet drops? Suggestions for where to look further?
Solved! Go to Solution.
01-01-2020 01:16 PM - edited 01-01-2020 01:19 PM
... And removing the "ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0" command seems to have fixed this particular problem. The technical details of why this was causing the problem are beyond me, but it works.
Of course, that means windows clients can potentially have issues with duplicate IP address detection again...
So, referring back to https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html#anc12
, I am going to instead use the "ip device tracking probe delay 10" command on our switches, which does not cause the intermittent connectivity issue, and hope that works for us.
01-01-2020 12:59 PM
It looks like it may be related to IPDT...
debugging IPDT, the following messages get logged every time connectivity is lost:
Jan 1 20:52:39.494: sw_host_track-ev:ARP packet received from ARP snooper(Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32) Jan 1 20:52:39.495: sw_host_track-ev:host_track_notification: Add event for host - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:0 ARP) Jan 1 20:52:39.495: sw_host_track-ev:Async Wired Add event - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:0 ARP) Jan 1 20:52:39.495: sw_host_track-ev:MSG = Host Track Add Entry Jan 1 20:52:39.495: sw_host_track-ev:Add event: 1860.2484.8868, 10.11.32.74, GigabitEthernet1/0/1 Jan 1 20:52:39.495: sw_host_track-ev:Cache entry refreshed (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP) Jan 1 20:52:39.495: sw_host_track-ev:Activating host - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP) Jan 1 20:52:39.495: sw_host_track-ev:Starting cache timer: 30 seconds - (Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56) Jan 1 20:52:39.495: sw_host_track-notify:host_track_activate_entry Notify other features: activate -(Gi1/0/1 10.11.32.74 (1860.2484.8868) VLAN:32 ID:56 ARP)
I have the following config command entered on our switches, which is a workaround for our windows clients, who were dropping their IP address assignments due to IPDT causing the windows clients to believe they had a duplicate IP address.
Not sure if it is related but I'll try removing it and see what happens...
ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0 override
01-01-2020 01:16 PM - edited 01-01-2020 01:19 PM
... And removing the "ip device tracking probe auto-source fallback 0.0.0.1 255.255.255.0" command seems to have fixed this particular problem. The technical details of why this was causing the problem are beyond me, but it works.
Of course, that means windows clients can potentially have issues with duplicate IP address detection again...
So, referring back to https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html#anc12
, I am going to instead use the "ip device tracking probe delay 10" command on our switches, which does not cause the intermittent connectivity issue, and hope that works for us.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide