topic RE: 4500 802.1x EAP behavior in ExtremeSwitching (VSP/Fabric Engine)

4500 802.1x EAP behavior

Brian_Holmes — Fri, 22 Jun 2018 18:51:00 GMT

We have a 4500 switch running SW:v5.11.1.101

When we connect an 802.1x client, the switch is sending a new authentication request every 30 seconds.

We can increase this time by modifying this in the config from the default of 30:

eapol port 27-28 supplicant-timeout 3600

We do not see this same behavior on a 4800 or 4900 with the same 30 second default.

Is this a known difference or bug in the 4500 code?

Anyone see a problem with setting this to 3600 as a default?

RE: 4500 802.1x EAP behavior

Martin_Sebek — Fri, 20 Jul 2018 14:22:00 GMT

Hello Brian,

are you sure you are running 5.11 on ERS 4500? Until today I thought the last version for these switches is 5.7.3. The release notes for the version 5.11.2 say that supported platforms are all 4800 models.

Regards,
Martin Sebek

RE: 4500 802.1x EAP behavior

Robert_Haynes — Wed, 25 Jul 2018 18:51:00 GMT

Brian - Martin is correct. The 45xx platform final code is 5.7.3. 4800/4900 are 5.11+ capable.

However your symptomatic issue tied to defaults suggests you have multihost enabled on the port and mac-max > 1. If there is only one device on the port with mac-max > 1 the switch will send Identity requests every timeout=30s. This causes the existing authenticated client to reconnect unnecessarily.

Either mac-max = 1, tweak timeouts >30s but definitely not 1h so the re-auth isn't as disruptive to existing clients or disable multihost on those ports. The latter stops the switch from 'soliciting' clients every xx seconds using EAPOL Identity. It expects clients to send EAPOL Start to begin the EAP process and rely on client-side timers to handle any issues/timeouts, etc.

RE: 4500 802.1x EAP behavior

Brian_Holmes — Thu, 26 Jul 2018 16:30:00 GMT

Sorry. We are running 5.7.3.031. Setting mac-max back to 1 fixes the issue. Thanks

RE: 4500 802.1x EAP behavior

Robert_Haynes — Thu, 26 Jul 2018 22:06:00 GMT

For the record:

Global config:
eapol multihost eap-packet-mode unicast

Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2

The above configuration changes the behavior of the switch in EAP/NEAP modes to no longer solicit for clients on the ports by sending an EAPOL Identity request. This solicitation has the negative effect of forcing any existing clients to re-authenticate. As clients/switches scale, this can become a problem with several dozens/hundreds of clients re-authenticating continuously subject to the supplicantTimeout = 30s default.