802.1x Supplicant is Constantly Reauthenticating in DFE LAG Environment

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 11537 

Matrix N-Series DFE 

Configured for 802.1x authentication ('set dot1x...').
Acting as a core device, connected into the network via 802.3ad Dynamic or Static LAGs. 

Dot1x supplicants are constantly re-authenticating, per 'show dot1x auth-session-stats <port#>' output. 

The LAG group ports are originating EAPOL Request Identity frames (5532). This in turn is caused by the underlying ports in the LAG being correctly configured for forced-auth (10283) while the LAG is incorrectly left at the default auto state. 

Set the LAG aggregator instance to forced-auth:
set dot1x auth-config authcontrolled-portcontrol forced-auth lag.0.x

If authenticating multiple users per port, set multi-authentication the same way:
set multiauth port mode force-auth lag.0.x
The exception to this is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt lag.0.x') for Snooping ports as advised in 11759

See also: 5882.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.