Extreme Networks

schuert · ‎02-09-2021

i recently tested the new exos firmware 31.2.1.1 on our x440-g2 switches.

after the installation clients can’t authenticate via dot1x any longer. radius server reports a timeout. we are using aruba clearpass as radius server and get the following log entries when a client tries to authenticate after switching to the new exos firmware:

2021-02-09 12:58:41,533	[Th 292 Req 4592433 SessId R000e457a-01-602278f1] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 89:1124:E4-B9-7A-6B-D2-5D:AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g==
2021-02-09 12:59:34,466	[main SessId R000e457a-01-602278f1] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R000e457a-01-602278f1, state - AN0AgwAPAAQxE0YAY3MQG6EEJHvvgMkHsD4u8g=

with version 31.1.1.3 the logs looked like this:

1-02-09 11:22:28,417	[Th 295 Req 4586645 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 97:1124:00-50-B6-F1-30-57:AC0A2ACEAL2V/EUANFOysanzb422Zle7FUh9Lg==
2021-02-09 11:22:28,428	[Th 297 Req 4586646 SessId R000e404c-01-60226264] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "802.1x Auth MS" - 98:247:00-50-B6-F1-30-57

this looks like the exos switch isn’t answering the “reqst_update_state: Access-Challenge” any longer, so that the radius server reports a timeout ~1 sec later. i can reproduce this error with all 5 different x440-g2 switches i tested and various different clients. As soon as i downgrade to version 31.1.1.3 and reboot the switch, authentication starts working again. mac auth is working as intended though.

any idea how to debug this or what could cause the problem?

Ludovico_Steven · ‎02-09-2021

I found the same in our own labs, and raised EXOS-28469. Dot1x is not working with 31.2.

Please open a case with GTAC. I’m not an end-customer, so the Jira I raised is internally raised, and will only get the right priority once a customer reports the issue via GTAC.

View solution in original post

Fijs · ‎04-26-2021

Can anybody confirm that this has been fixed in 31.2.1-Patch1-5 (I don’t see a 31.2.1.1-patch1-2 available for download)?

The release notes do not mention EXOS-28469, but they do mention this:

EXOS-28513

dot1x authentication fails when radius challenge packet contains more attributes in EAP message.

Searching the KB for EXOS-28469 only results in this KB: https://extremeportal.force.com/ExtrArticleDetail?an=000093936

But the solution here is to downgrade…

Thanks!

Evert · ‎03-19-2021

We also ran into this bug.

Something most have gone very wrong to allow a version with such a severe bug to be released. You might expect that functionality like 802.1x is tested thoroughly before releasing switch software.

Any news about the patch?

schuert · ‎02-19-2021

Thank you very much. As soon as the new version is released, i’ll check if it also works with our clearpass server and will report back.

Ludovico_Steven · ‎02-18-2021

FYI, I just tested the fix which will be 31.2.1.1-patch1-2 which is expected to be posted around first week of March

Stefan_K_ · ‎02-09-2021

Dot1x is not working and Extreme still needs a ticket from a customer to prioritize it? Does Extreme think that no customer is using 802.1x or what? Seriously…

Extreme Networks

NAC failing since update from 31.1.1.3 to 31.2.1.1

NAC failing since update from 31.1.1.3 to 31.2.1.1