Article ID: 11537
Matrix N-Series DFE
Configured for 802.1x authentication ('set dot1x...').
Acting as a core device, connected into the network via 802.3ad Dynamic or Static LAGs.
Dot1x supplicants are constantly re-authenticating, per 'show dot1x auth-session-stats <port#
The LAG group ports are originating EAPOL Request Identity frames (5532
). This in turn is caused by the underlying ports in the LAG being correctly configured for forced-auth (10283
) while the LAG is incorrectly left at the default auto state.
Set the LAG aggregator instance to forced-auth:
set dot1x auth-config authcontrolled-portcontrol forced-auth lag.0.x
If authenticating multiple users per port, set multi-authentication the same way:
set multiauth port mode force-auth lag.0.x
The exception to this is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt lag.0.x
') for Snooping ports as advised in 11759
See also: 5882