4500 802.1x EAP behavior

  • 1
  • 1
  • Problem
  • Updated 3 months ago
  • Solved
We have a 4500 switch running SW:v5.11.1.101

When we connect an 802.1x client, the switch is sending a new authentication request every 30 seconds.

We can increase this time by modifying this in the config from the default of 30:

eapol port 27-28 supplicant-timeout 3600

We do not see this same behavior on a 4800 or 4900 with the same 30 second default.

Is this a known difference or bug in the 4500 code?

Anyone see a problem with setting this to 3600 as a default?
Photo of Brian Holmes

Brian Holmes

  • 328 Points 250 badge 2x thumb

Posted 4 months ago

  • 1
  • 1
Photo of Martin Sebek

Martin Sebek

  • 200 Points 100 badge 2x thumb
Hello Brian,

are you sure you are running 5.11 on ERS 4500?  Until today I thought the last version for these switches is 5.7.3.  The release notes for the version 5.11.2 say that supported platforms are all 4800 models.

Regards,
Martin Sebek
Photo of Robert Haynes

Robert Haynes, Employee

  • 160 Points 100 badge 2x thumb
Brian - Martin is correct. The 45xx platform final code is 5.7.3. 4800/4900 are 5.11+ capable.

However your symptomatic issue tied to defaults suggests you have multihost enabled on the port and mac-max > 1. If there is only one device on the port with mac-max > 1 the switch will send Identity requests every timeout=30s. This causes the existing authenticated client to reconnect unnecessarily.

Either mac-max = 1, tweak timeouts >30s but definitely not 1h so the re-auth isn't as disruptive to existing clients or disable multihost on those ports. The latter stops the switch from 'soliciting' clients every xx seconds using EAPOL Identity. It expects clients to send EAPOL Start to begin the EAP process and rely on client-side timers to handle any issues/timeouts, etc.
Photo of Brian Holmes

Brian Holmes

  • 328 Points 250 badge 2x thumb
Sorry.  We are running 5.7.3.031.  Setting mac-max back to 1 fixes the issue.   Thanks
Photo of Robert Haynes

Robert Haynes, Employee

  • 160 Points 100 badge 2x thumb
For the record:

Global config:
eapol multihost eap-packet-mode unicast

Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2

The above configuration changes the behavior of the switch in EAP/NEAP modes to no longer solicit for clients on the ports by sending an EAPOL Identity request. This solicitation has the negative effect of forcing any existing clients to re-authenticate. As clients/switches scale, this can become a problem with several dozens/hundreds of clients re-authenticating continuously subject to the supplicantTimeout = 30s default.