04-25-2014 12:08 AM - edited 03-07-2019 07:13 PM
Hi all,
We have configured MAB on the access-ports of our switches. When the port is authenticated the switch puts it in vlan 10, otherwise the port goes into vlan 20, the guest vlan.
switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
load-interval 30
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 10
authentication event no-response action authorize vlan 20
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x max-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
Everything works fine until the switch reboots. After the switch comes back up, the ports stay in the guest vlan.
Only after running the command "clear authentication sessions", the machines behind the ports are re-authenticated.
I have tried to configure a event manager applet, but after the reload this doesn't help.
event manager applet onboot
event timer cron cron-entry "@reboot"
action 1.10 wait 120
action 2.10 cli command "enable"
action 2.20 cli command "clear authentication session "
action 6.10 syslog msg "cleared auth sessions"
!
Is there anything wrong with our port-configuration? And why is the EM applet not working like it should?
All suggestions are welcome.
Thanks,
Best Regards,
Joris
04-25-2014 01:53 AM
Hi Joris,
first off all, you should not mix 802.1X and portsecurity.
Remove the lines:
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
Reauthentication periodic with MAB does not work. As long as the interface is up the session remains. So why reauthentication?
How long is your timeout for the RADIUS-Server?
The problem is, that if you reboot the switch, the management interface is down while the port are already up. With adjusting the timer you can solve this issue. I think....try and error.
"radius-server timeout xxx"
Hope ist hepls
Horst
04-25-2014 03:13 AM
Hello Horst,
Thanks for your feedback. I have removed the port-security lines.
The radius-server timeout is set to 10. I'll test some different settings.
I hope I can remove the event manager applet aswell.
Best Regards,
Joris
04-25-2014 04:45 AM
Hello Horst,
I tried different settings for the radius-server timeout, but nothing seems to work.
When I reboot the switch the port stays in vlan 20.
When I remove the line "authentication event no-response action authorize vlan 20", the switch puts the port in vlan 1.
After a clear auth sessions, both ports are put in vlan 10.
So my gues is that the issue is related to the radius server no giving any response after a reboot. Are there other parameters I can set to retry the MAB after a reload?
Thanks,
Joris
04-29-2014 12:06 AM
Hi Joris,
try this line: authentication event server alive action reinitialize
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide