Header Only - DO NOT REMOVE - Extreme Networks

802.1x Supplicant is Constantly Reauthenticating in DFE LAG Environment


Userlevel 3
Article ID: 11537

Products
Matrix N-Series DFE

Changes
Configured for 802.1x authentication ('set dot1x...').
Acting as a core device, connected into the network via 802.3ad Dynamic or Static LAGs.

Symptoms
Dot1x supplicants are constantly re-authenticating, per 'show dot1x auth-session-stats <port#>' output.

Cause
The LAG group ports are originating EAPOL Request Identity frames (5532). This in turn is caused by the underlying ports in the LAG being correctly configured for forced-auth (10283) while the LAG is incorrectly left at the default auto state.

Solution/Workaround
Set the LAG aggregator instance to forced-auth:
set dot1x auth-config authcontrolled-portcontrol forced-auth lag.0.x

If authenticating multiple users per port, set multi-authentication the same way:
set multiauth port mode force-auth lag.0.x
The exception to this is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt lag.0.x') for Snooping ports as advised in 11759.

See also: 5882.

0 replies

Be the first to reply!

Reply