Solved

NAC failing since update from 31.1.1.3 to 31.2.1.1

  • 9 February 2021
  • 9 replies
  • 287 views

i recently tested the new exos firmware 31.2.1.1 on our x440-g2 switches.

after the installation clients can’t authenticate via dot1x any longer. radius server reports a timeout. we are using aruba clearpass as radius server and get the following log entries when a client tries to authenticate after switching to the new exos firmware:

2021-02-09 12:58:41,533 [Th 292 Req 4592433 SessId R000e457a-01-602278f1] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 89:1124:E4-B9-7A-6B-D2-5D:AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g==
2021-02-09 12:59:34,466 [main SessId R000e457a-01-602278f1] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R000e457a-01-602278f1, state - AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g=

 

with version 31.1.1.3 the logs looked like this:

1-02-09 11:22:28,417 [Th 295 Req 4586645 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 97:1124:00-50-B6-F1-30-57:AC0A2ACEAL2V/EUANFOysanzb422Zle7FUh9Lg==
2021-02-09 11:22:28,428 [Th 297 Req 4586646 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "802.1x Auth MS" - 98:247:00-50-B6-F1-30-57

 

this looks like the exos switch isn’t answering the “reqst_update_state: Access-Challenge” any longer, so that the radius server reports a timeout ~1 sec later. i can reproduce this error with all 5 different x440-g2 switches i tested and various different clients. As soon as i downgrade to version 31.1.1.3 and reboot the switch, authentication starts working again. mac auth is working as intended though.

any idea how to debug this or what could cause the problem?

 

icon

Best answer by Ludovico Stevens 9 February 2021, 14:28

I found the same in our own labs, and raised EXOS-28469. Dot1x is not working with 31.2.

Please open a case with GTAC. I’m not an end-customer, so the Jira I raised is internally raised, and will only get the right priority once a customer reports the issue via GTAC.

View original

9 replies

Userlevel 5

I found the same in our own labs, and raised EXOS-28469. Dot1x is not working with 31.2.

Please open a case with GTAC. I’m not an end-customer, so the Jira I raised is internally raised, and will only get the right priority once a customer reports the issue via GTAC.

Userlevel 6
Badge

Dot1x is not working and Extreme still needs a ticket from a customer to prioritize it? Does Extreme think that no customer is using 802.1x or what? Seriously… 

Userlevel 5

FYI, I just tested the fix which will be 31.2.1.1-patch1-2 which is expected to be posted around first week of March

Thank you very much. As soon as the new version is released, i’ll check if it also works with our clearpass server and will report back.

We also ran into this bug.

Something most have gone very wrong to allow a version with such a severe bug to be released. You might expect that functionality like 802.1x is tested thoroughly before releasing switch software.

Any news about the patch?

Badge

Can anybody confirm that this has been fixed in 31.2.1-Patch1-5 (I don’t see a 31.2.1.1-patch1-2  available for download)?

The release notes do not mention EXOS-28469, but they do mention this:

 

EXOS-28513 dot1x authentication fails when radius challenge packet contains more attributes in EAP message.

 

Searching the KB for EXOS-28469 only results in this KB: https://extremeportal.force.com/ExtrArticleDetail?an=000093936

But the solution here is to downgrade…

 

Thanks!

Badge

To answer my own question:

After speaking to support, it seems that there is no fix yet. So the only solution so far, is to go back to 30.X.

 

Fix is expected for 31.3, but no ETA yet.

Userlevel 6
Badge

Thanks @Fijs for this information. Unlucky for the guys who bought a 5520 switch, which can only run 31.x. In 31.1 802.1x seems to work, but there is a auto-nego bug for 100 Mbit/s connections. :rolling_eyes:

Badge

Just stumbled upon this KB article: https://extremeportal.force.com/ExtrArticleDetail?an=000094775

#confusing :)

Did anyone here have the chance to test dot1x/PEAP in 31.2.1-patch1-5?

Reply