This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl - Issue - Unexpected NEAP ReAuth

ExtremeControl - Issue - Unexpected NEAP ReAuth

Guilhem_Lejeune
New Contributor II

2 weeks ago

Hi,

Devices involved :

  • ExtremeCloud IQ Site Engine version 24.2.15.5
  • ExtremeControl version 24.2.15.5
  • Fabric-Engine 5420F-48P-4XE version 8.10.5
  • Windows PC

Windows PC first authentication is OK (we use 802.1x PEAP MSCHAPv2).

After 10 minutes, ExtremeControl sends RADIUS CoA Disconnect message to reauthenticate the PC.
The problem is, ExtremeControl receive NEAP Access-Request and the PC is placed in quarantine.

Of course, I expect EAP Reauth.

 

Troubleshoot actions done :

  • Deactivate NEAP auth on acces port (on the switch) : OK but we want to keep the port configuration as generic as possible.
  • Force Windows supplicant to do 802.1x EAP only : OK but there are some side effects when the PC is back on a non-NACed network.

 

Maybe CoA message sent from the NAC is malformed ?

Here the reauth parameters for the switch :

Guilhem_Lejeune_1-1727293608632.png

 

Do I have to fix something ?

Regards

0 Kudos
5 REPLIES 5

Configterminal
New Contributor III

Wednesday

I’m curious as to why Control is issuing a CoA after 10 min?  Are you sure there isn’t a reauthentication timer configured directly on the switch? 

0 Kudos

Guilhem_Lejeune
New Contributor II

a week ago

Hi,

Thank you gentlemen for all your comments.
For now, I can tell that both NTP and Shared Secret are all right.

A troubleshoot session is scheduled next Friday. I will share with you what we will find.

See you soon !

Kind regards,

0 Kudos

Ryan_Yacobucci
Extreme Employee

a week ago

Hello,

By default there is a 10 minute session timeout for quarantined devices. 

Right click the NAC --> Engine Settings --> Reauthentication

There is also an "Accept Session Timeout" that can be enabled, has this been enabled? 

I agree with Robert here, it would be a good idea to get a tcpdump of the reauthentication as well as enabling debug for "Reauthentication" and we can take a look at why the initial reauth was issued.

Thanks
-Ryan

Robert_Haynes
Extreme Employee

2 weeks ago

Unclear why CoA is triggered after 10m from initial 802.1x authentication; however yes confirm that Control and switch time are synchronized.

The default for the model you reported is RFC 3576 - Generic CoA Colon Delimited so unclear why it is manually set in override.

This said if the authenticator supports CoA and triggers a re-authentication of the session it should result in a EAPOL Start or ResponseIdentity upstream to the supplicant to trigger 802.1x. Is this happening? Is the client responding to that request? If the client is not then the traffic from the client will be enough to trigger NEAP. Do not know if there is some holddown timer or priority on VOSS to wait for dot1x before moving forward with NEAP.

I always recommend tracing these type of issues if they are reproducible. Client (supplicant) <-> authenticator trace and authenticator <-> Control trace to see the interactions afoot.

GTM-P2G8KFN