Hi, We hope someone is "shark" enough to assist us in this little quest.

We use a setup containing of a windows RADIUS server, 200+ Cisco 877W supplicants and Windows7 / XP clients.

The setup works but we have a seriously irritating issue when the router is restarted.

When the user reboots the Cisco 877W with a PC connected, the DSL line needs to train before the authentification

may be completed. This retrain may in some situations last for several minutes.

The result is often that the authentification fails and the cisco (as supplicant) takes the port down administratively

instead of granting access to the guest VLAN.

In the below (anonymized) "show running", you will see that VLAN40 is the trusted and VLAN1 is guest, also we supplied a "show dot1x interface x details" for an authorized and a non-authorized etherport.

A "shutdown / no shutdown" on the port restarts the auth. correctly enabling either trusted or guest VLAN access as does a disconnect/reconnect of cable or "on/off" wireless on the PC.

We tried setting the "ReauthPeriod" to as little as 30 seconds without much success (port is down, thus nothing is communicated to the client).

If the DSL needs to retrain for some reason, having the re-auth set to 30 seconds destroys the auth. leaving the PC in VLAN1 with IP address matching VLAN40 rendering the connection useless even for Internet access.

Also packet loss or RADIUS stress may disconnect the user if re-auth is impossible, therefore we find that the default re-auth setting of 3600 seconds (or even higher) seem more appropriate.

Are we missing a setting or is it simply required to have the users reconnect their PC if the DSL connection drops or

router is restarted?

---------------------------------------------------------------------------------------------------------------------

RouterXXX#sh run

Building configuration...

Current configuration : 6122 bytes

!

! Last configuration change at 13:36:43 CET Fri Feb 3 2012 by XXXX

! NVRAM config last updated at 13:36:46 CET Fri Feb 3 2012 by XXXX

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname RouterXXX

!

boot-start-marker

boot-end-marker

!

vrf definition VRFDEF

description VRFDEF radius authentication for dot1x

!

address-family ipv4

exit-address-family

!

logging message-counter syslog

logging buffered 51200 warnings

logging console informational

enable secret 5 XXXXXX

!

aaa new-model

!

!

aaa group server radius radius-group

server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813

server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813

ip vrf forwarding VRFDEF

ip radius source-interface BVI40

!

aaa authentication login default local

aaa authentication login eap_methods group radius-group

aaa authentication dot1x default group radius-group

!

!

aaa session-id common

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

dot11 syslog

!

dot11 ssid ADM

vlan 40

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

mbssid guest-mode

!

dot11 ssid PUB

vlan 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 XXXXX

!

ip source-route

ip dhcp excluded-address 192.168.1.1 192.168.1.9

ip dhcp excluded-address 192.168.1.100 192.168.1.255

!

ip dhcp pool surf-pool

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   domain-name xx.xxxx.xx

   dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

   lease 2

!

!

ip cef

ip domain name xx.xxxx.xx

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

!

!

dot1x system-auth-control

!

!

username xxxx privilege 15 secret 5 xxxxxxxx

!

!

!

archive

log config

  hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

no logging event link-status

no atm ilmi-keepalive

dsl operating-mode adsl2+

dsl enable-training-log

!

interface ATM0.1 point-to-point

pvc 0/101

  encapsulation aal5snap

!

bridge-group 100

!

interface ATM0.2 point-to-point

vrf forwarding VRFDEF

pvc 0/32

  encapsulation aal5snap

!

bridge-group 40

!

interface FastEthernet0

switchport access vlan 40

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout quiet-period 5

dot1x timeout reauth-period 60

dot1x timeout tx-period 5

dot1x timeout supp-timeout 3

dot1x reauthentication

dot1x auth-fail vlan 1

dot1x guest-vlan 1

!

interface FastEthernet1

switchport access vlan 40

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout quiet-period 5

dot1x timeout reauth-period 60

dot1x timeout tx-period 5

dot1x timeout supp-timeout 3

dot1x reauthentication

dot1x auth-fail vlan 1

dot1x guest-vlan 1

!

interface FastEthernet2

switchport access vlan 40

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout quiet-period 5

dot1x timeout reauth-period 60

dot1x timeout tx-period 5

dot1x timeout supp-timeout 3

dot1x reauthentication

dot1x auth-fail vlan 1

dot1x guest-vlan 1

!

interface FastEthernet3

switchport access vlan 40

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout quiet-period 5

dot1x timeout supp-timeout 3

dot1x max-req 5

dot1x reauthentication

dot1x auth-fail vlan 1

dot1x guest-vlan 1

!

interface Dot11Radio0

no ip address

!

encryption vlan 40 mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers tkip

!

broadcast-key vlan 40 change 30

!

broadcast-key vlan 1 change 30

!

!

ssid ADM

!

ssid PUB

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.40

encapsulation dot1Q 40

no cdp enable

bridge-group 40

bridge-group 40 subscriber-loop-control

bridge-group 40 spanning-disabled

bridge-group 40 block-unknown-source

no bridge-group 40 source-learning

no bridge-group 40 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

!

interface Vlan40

vrf forwarding VRFDEF

no ip address

bridge-group 40

!

interface Dialer0

no ip address

no cdp enable

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface BVI40

vrf forwarding VRFDEF

mtu 1500

ip address dhcp hostname XXXX

!

interface BVI100

mac-address xxxx.xxxx.xxxx.xxxx

ip address dhcp hostname XXXX

ip nat outside

ip virtual-reassembly

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface BVI100 overload

!

ip access-list standard SSH_ACCESS_IN

permit xxx.xxx.xxx.xxx

deny   any

!

logging trap debugging

logging origin-id ip

logging xxx.xxx.xxx.xxx

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit xxx.xxx.xxx.xxx

no cdp run

!

!

!

snmp-server community XXXX RO 10

radius-server attribute 32 include-in-access-req format %h

radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 XXXX

radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 XXXX

radius-server vsa send accounting

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 40 protocol ieee

bridge 40 route ip

bridge 100 protocol ieee

bridge 100 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class SSH_ACCESS_IN in

privilege level 15

transport input ssh

!

scheduler max-task-time 5000

ntp server xxx.xxx.xxx.xxx

end

-------------------------------------------------------------------------------

Non-Authorized port:

RouterXXX#sh dot1x interface fa2 details

Dot1x Info for FastEthernet2

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = In

HostMode                  = MULTI_HOST

ReAuthentication          = Enabled

QuietPeriod               = 5

ServerTimeout             = 0

SuppTimeout               = 3

ReAuthPeriod              = 60 (Locally configured)

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 5

RateLimitPeriod           = 0

Auth-Fail-Vlan            = 1

Auth-Fail-Max-attempts    = 3

Guest-Vlan                = 1

Dot1x Authenticator Client List Empty

Port Status               = AUTHORIZED

Authorized By             = Guest-Vlan

Vlan Policy               = 1

---------------------------------------------------------------------------------

Authorized port:

RouterXXX#show dot1x interface fa3 details

Dot1x Info for FastEthernet3

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = In

HostMode                  = MULTI_HOST

ReAuthentication          = Enabled

QuietPeriod               = 5

ServerTimeout             = 0

SuppTimeout               = 3

ReAuthPeriod              = 3600 (Locally configured)

ReAuthMax                 = 2

MaxReq                    = 5

TxPeriod                  = 30

RateLimitPeriod           = 0

Auth-Fail-Vlan            = 1

Auth-Fail-Max-attempts    = 3

Guest-Vlan                = 1

Dot1x Authenticator Client List

-------------------------------

Supplicant                = xxxx.xxxx.xxxx

        Auth SM State     = AUTHENTICATED

        Auth BEND SM Stat = IDLE

Port Status               = AUTHORIZED

ReAuthPeriod              = 3600

ReAuthAction              = Reauthenticate

TimeToNextReauth          = 1438

Authentication Method     = Dot1x

Authorized By             = Authentication Server

Vlan Policy               = N/A

Any and all clues are highly appreciated, thanks in advance.

/Niels