i recently tested the new exos firmware 31.2.1.1 on our x440-g2 switches.
after the installation clients can’t authenticate via dot1x any longer. radius server reports a timeout. we are using aruba clearpass as radius server and get the following log entries when a client tries to authenticate after switching to the new exos firmware:
| 2021-02-09 12:58:41,533 | [Th 292 Req 4592433 SessId R000e457a-01-602278f1] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 89:1124:E4-B9-7A-6B-D2-5D:AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g== |
| 2021-02-09 12:59:34,466 | [main SessId R000e457a-01-602278f1] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R000e457a-01-602278f1, state - AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g= |
with version 31.1.1.3 the logs looked like this:
| 1-02-09 11:22:28,417 | [Th 295 Req 4586645 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 97:1124:00-50-B6-F1-30-57:AC0A2ACEAL2V/EUANFOysanzb422Zle7FUh9Lg== |
| 2021-02-09 11:22:28,428 | [Th 297 Req 4586646 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "802.1x Auth MS" - 98:247:00-50-B6-F1-30-57 |
this looks like the exos switch isn’t answering the “reqst_update_state: Access-Challenge” any longer, so that the radius server reports a timeout ~1 sec later. i can reproduce this error with all 5 different x440-g2 switches i tested and various different clients. As soon as i downgrade to version 31.1.1.3 and reboot the switch, authentication starts working again. mac auth is working as intended though.
any idea how to debug this or what could cause the problem?
