cancel
Showing results for 
Search instead for 
Did you mean: 

How should configuration for multiple 802.1x sesions look like on x440?

How should configuration for multiple 802.1x sesions look like on x440?

Marek_Konopinsk
New Contributor III

Hi
I need to configure switch port for AP. On AP i will broadcast wireless network based on 802.1x authentication.
probably i shud see multiple user netlogin sesions on that port. Now what i see is onlu 1 policy applied for accesspoint and meny sesions whitout any policy applied.

it look like that:

test-switch-11.15 # sh netlog session por 3
Multiple authentication session entries
---------------------------------------

Port : 3 Station address : 00:dc:b2:39:d4:12
Auth status : failed Last attempt : Fri Dec 17 13:03:41 2021
Agent type : dot1x Session applied : false
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:00
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated


Port : 3 Station address : 00:dc:b2:39:d4:12
Auth status : success Last attempt : Fri Dec 17 12:57:51 2021
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 33 Policy name : 0-ACCESSPOINT Auth (active)
Session timeout : 0 Session duration : 1:14:18
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated


Port : 3 Station address : 4c:eb:42:e8:af:e9
Auth status : failed Last attempt : Fri Dec 17 12:27:50 2021
Agent type : dot1x Session applied : false
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:00
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated

Accesspoint is autenticated by MAC and applied role contains one nativ vlan for AP management and multiple egress vlans.

Additionally when im connecting to wireless network im reciveing proper role on AP whitch my Xtreme Campus controler apply to that connection - but when im looking at Xtreme Network Management End systems it looks like after few minutes my session was deautenticated by switch

JSL2PCNQQNKFloKIVYAu_111.jpeg
JQueNj37SYmWsXBxRWQQ_222.jpeg

I dont know how to fix it to make 802.1x stable and autenticate user only by it

9 REPLIES 9

RonaldW
New Contributor II
Hi Marek,

Normally you would not expect your wireless clients being authenticated on the switchport. This is done by the AP.
Make sure that the "AP Aware" option is enabled on the AP's policy. This should overcome this issue. Now only your AP should be authenticated on the wired.
XkWeFWteTf2RdrmrsO4F_AP-Aware.png
You could prevent the port from reauthenticating by sending a idle timeout attribute;
PHCoF4JMTSKECjft0Jo4_AP-Idle.png
  
- Ronald

I did the 1st thing and set the AP Aware to enable but secound thing is harder to set 'couse i dot have that option
m8VQbTURY21hhqfd4VlK_333.jpeg
 I have Extreme Management Center 8.5.6.17

And, did the first part work? Did you lose the client netlogin sessions?

For the second part, you might need to switch to the advance view?
DNMBIPn2TEiGamMFYMks_rtaImage.png
It could also be that you'll need to change the "attributes to send", depending on what is configured there.
- Ronald

When i enabled AP aware - host could't connect to the network. after disable it - hos connected to network

i switched to advace view and set Idle-Time and after that - accesspoints look like authenticated but XCC cant see them

* test-switch-14.11 # sh netlogin session
Multiple authentication session entries
---------------------------------------

Port : 41 Station address : 00:dc:b2:38:61:1f
Auth status : success Last attempt : Sat Dec 18 21:22:23 2021
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : None
Policy index : 17 Policy name : 0-ACCESSPOINT Auth (active)
Session timeout : 0 Session duration : 0:01:39
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated

GTM-P2G8KFN