02-04-2012 12:37 AM - edited 03-07-2019 04:43 AM
Hi, We hope someone is "shark" enough to assist us in this little quest.
We use a setup containing of a windows RADIUS server, 200+ Cisco 877W supplicants and Windows7 / XP clients.
The setup works but we have a seriously irritating issue when the router is restarted.
When the user reboots the Cisco 877W with a PC connected, the DSL line needs to train before the authentification
may be completed. This retrain may in some situations last for several minutes.
The result is often that the authentification fails and the cisco (as supplicant) takes the port down administratively
instead of granting access to the guest VLAN.
In the below (anonymized) "show running", you will see that VLAN40 is the trusted and VLAN1 is guest, also we supplied a "show dot1x interface x details" for an authorized and a non-authorized etherport.
A "shutdown / no shutdown" on the port restarts the auth. correctly enabling either trusted or guest VLAN access as does a disconnect/reconnect of cable or "on/off" wireless on the PC.
We tried setting the "ReauthPeriod" to as little as 30 seconds without much success (port is down, thus nothing is communicated to the client).
If the DSL needs to retrain for some reason, having the re-auth set to 30 seconds destroys the auth. leaving the PC in VLAN1 with IP address matching VLAN40 rendering the connection useless even for Internet access.
Also packet loss or RADIUS stress may disconnect the user if re-auth is impossible, therefore we find that the default re-auth setting of 3600 seconds (or even higher) seem more appropriate.
Are we missing a setting or is it simply required to have the users reconnect their PC if the DSL connection drops or
router is restarted?
---------------------------------------------------------------------------------------------------------------------
RouterXXX#sh run
Building configuration...
Current configuration : 6122 bytes
!
! Last configuration change at 13:36:43 CET Fri Feb 3 2012 by XXXX
! NVRAM config last updated at 13:36:46 CET Fri Feb 3 2012 by XXXX
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname RouterXXX
!
boot-start-marker
boot-end-marker
!
vrf definition VRFDEF
description VRFDEF radius authentication for dot1x
!
address-family ipv4
exit-address-family
!
logging message-counter syslog
logging buffered 51200 warnings
logging console informational
enable secret 5 XXXXXX
!
aaa new-model
!
!
aaa group server radius radius-group
server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
ip vrf forwarding VRFDEF
ip radius source-interface BVI40
!
aaa authentication login default local
aaa authentication login eap_methods group radius-group
aaa authentication dot1x default group radius-group
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid ADM
vlan 40
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
mbssid guest-mode
!
dot11 ssid PUB
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 XXXXX
!
ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.100 192.168.1.255
!
ip dhcp pool surf-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name xx.xxxx.xx
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
lease 2
!
!
ip cef
ip domain name xx.xxxx.xx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
dot1x system-auth-control
!
!
username xxxx privilege 15 secret 5 xxxxxxxx
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no logging event link-status
no atm ilmi-keepalive
dsl operating-mode adsl2+
dsl enable-training-log
!
interface ATM0.1 point-to-point
pvc 0/101
encapsulation aal5snap
!
bridge-group 100
!
interface ATM0.2 point-to-point
vrf forwarding VRFDEF
pvc 0/32
encapsulation aal5snap
!
bridge-group 40
!
interface FastEthernet0
switchport access vlan 40
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout quiet-period 5
dot1x timeout reauth-period 60
dot1x timeout tx-period 5
dot1x timeout supp-timeout 3
dot1x reauthentication
dot1x auth-fail vlan 1
dot1x guest-vlan 1
!
interface FastEthernet1
switchport access vlan 40
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout quiet-period 5
dot1x timeout reauth-period 60
dot1x timeout tx-period 5
dot1x timeout supp-timeout 3
dot1x reauthentication
dot1x auth-fail vlan 1
dot1x guest-vlan 1
!
interface FastEthernet2
switchport access vlan 40
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout quiet-period 5
dot1x timeout reauth-period 60
dot1x timeout tx-period 5
dot1x timeout supp-timeout 3
dot1x reauthentication
dot1x auth-fail vlan 1
dot1x guest-vlan 1
!
interface FastEthernet3
switchport access vlan 40
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout quiet-period 5
dot1x timeout supp-timeout 3
dot1x max-req 5
dot1x reauthentication
dot1x auth-fail vlan 1
dot1x guest-vlan 1
!
interface Dot11Radio0
no ip address
!
encryption vlan 40 mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 40 change 30
!
broadcast-key vlan 1 change 30
!
!
ssid ADM
!
ssid PUB
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no cdp enable
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 spanning-disabled
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan40
vrf forwarding VRFDEF
no ip address
bridge-group 40
!
interface Dialer0
no ip address
no cdp enable
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI40
vrf forwarding VRFDEF
mtu 1500
ip address dhcp hostname XXXX
!
interface BVI100
mac-address xxxx.xxxx.xxxx.xxxx
ip address dhcp hostname XXXX
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface BVI100 overload
!
ip access-list standard SSH_ACCESS_IN
permit xxx.xxx.xxx.xxx
deny any
!
logging trap debugging
logging origin-id ip
logging xxx.xxx.xxx.xxx
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit xxx.xxx.xxx.xxx
no cdp run
!
!
!
snmp-server community XXXX RO 10
radius-server attribute 32 include-in-access-req format %h
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 XXXX
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 XXXX
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 40 protocol ieee
bridge 40 route ip
bridge 100 protocol ieee
bridge 100 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class SSH_ACCESS_IN in
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
ntp server xxx.xxx.xxx.xxx
end
-------------------------------------------------------------------------------
Non-Authorized port:
RouterXXX#sh dot1x interface fa2 details
Dot1x Info for FastEthernet2
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = In
HostMode = MULTI_HOST
ReAuthentication = Enabled
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 3
ReAuthPeriod = 60 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 5
RateLimitPeriod = 0
Auth-Fail-Vlan = 1
Auth-Fail-Max-attempts = 3
Guest-Vlan = 1
Dot1x Authenticator Client List Empty
Port Status = AUTHORIZED
Authorized By = Guest-Vlan
Vlan Policy = 1
---------------------------------------------------------------------------------
Authorized port:
RouterXXX#show dot1x interface fa3 details
Dot1x Info for FastEthernet3
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = In
HostMode = MULTI_HOST
ReAuthentication = Enabled
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 3
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 5
TxPeriod = 30
RateLimitPeriod = 0
Auth-Fail-Vlan = 1
Auth-Fail-Max-attempts = 3
Guest-Vlan = 1
Dot1x Authenticator Client List
-------------------------------
Supplicant = xxxx.xxxx.xxxx
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 1438
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
Any and all clues are highly appreciated, thanks in advance.
/Niels
02-04-2012 04:10 AM
Hi Niels,
As you have rightly pointed out, the problem is that the PC comes up first and straightaway sends the EAPOL frame to the switch and because the switch cannot reach the RADIUS server (the dsl line is still training) and forces the port into vlan 1.
unfortunately, IMHO this is the limitation of DSL lines is that sometimes they some time several minutes to train.
AFAIK you can't tell the router to advise that PC to send the frame a bit later . and also you are using a router which doesnt have the err-disable recovery mechanism that switches have.
Also, I would suggest you use the below dot1x config. Its pretty stable. Having the re-auth period to a low value is not recommended. Once the PC is authenticated, the only time it should reauthenticate when the arp on the router is about to expire otherwise I see no reason why it should keep reauthenticating every now and then.
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 14400
dot1x timeout tx-period 15
dot1x max-req 5
dot1x reauthentication
dot1x auth-fail vlan 1
dot1x guest-vlan 1
There are heaps of dot1x timers but they are to circumvent the issues but not to create an issue( telling the PC to send the frame a bit later) if you what i mean.
we can see what other experts have to say.
See if you can get a frame link or somthing
HTH
Kishore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide