This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

4500 802.1x EAP behavior

4500 802.1x EAP behavior

Brian_Holmes
New Contributor III

‎06-22-2018 11:51 AM

We have a 4500 switch running SW:v5.11.1.101

When we connect an 802.1x client, the switch is sending a new authentication request every 30 seconds.

We can increase this time by modifying this in the config from the default of 30:

eapol port 27-28 supplicant-timeout 3600

We do not see this same behavior on a 4800 or 4900 with the same 30 second default.

Is this a known difference or bug in the 4500 code?

Anyone see a problem with setting this to 3600 as a default?
0 Kudos
4 REPLIES 4

Robert_Haynes
Extreme Employee

‎07-26-2018 03:06 PM

For the record:

Global config:
eapol multihost eap-packet-mode unicast

Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2

The above configuration changes the behavior of the switch in EAP/NEAP modes to no longer solicit for clients on the ports by sending an EAPOL Identity request. This solicitation has the negative effect of forcing any existing clients to re-authenticate. As clients/switches scale, this can become a problem with several dozens/hundreds of clients re-authenticating continuously subject to the supplicantTimeout = 30s default.
0 Kudos

Brian_Holmes
New Contributor III

‎07-26-2018 09:30 AM

Sorry. We are running 5.7.3.031. Setting mac-max back to 1 fixes the issue. Thanks
0 Kudos

Robert_Haynes
Extreme Employee

‎07-25-2018 11:51 AM

Brian - Martin is correct. The 45xx platform final code is 5.7.3. 4800/4900 are 5.11+ capable.

However your symptomatic issue tied to defaults suggests you have multihost enabled on the port and mac-max > 1. If there is only one device on the port with mac-max > 1 the switch will send Identity requests every timeout=30s. This causes the existing authenticated client to reconnect unnecessarily.

Either mac-max = 1, tweak timeouts >30s but definitely not 1h so the re-auth isn't as disruptive to existing clients or disable multihost on those ports. The latter stops the switch from 'soliciting' clients every xx seconds using EAPOL Identity. It expects clients to send EAPOL Start to begin the EAP process and rely on client-side timers to handle any issues/timeouts, etc.
0 Kudos

Martin_Sebek
New Contributor III

‎07-20-2018 07:22 AM

Hello Brian,

are you sure you are running 5.11 on ERS 4500? Until today I thought the last version for these switches is 5.7.3. The release notes for the version 5.11.2 say that supported platforms are all 4800 models.

Regards,
Martin Sebek
0 Kudos
GTM-P2G8KFN