Article ID: 11537
Products
Matrix N-Series DFE
Changes
Configured for 802.1x authentication ('set dot1x...').
Acting as a core device, connected into the network via 802.3ad Dynamic or Static LAGs.
Symptoms
Dot1x supplicants are constantly re-authenticating, per 'show dot1x auth-session-stats <
port#>' output.
Cause
The LAG group ports are originating EAPOL Request Identity frames (
5532). This in turn is caused by the underlying ports in the LAG being correctly configured for forced-auth (
10283) while the LAG is incorrectly left at the default auto state.
Solution/Workaround
Set the LAG aggregator instance to forced-auth:
set dot1x auth-config authcontrolled-portcontrol forced-auth lag.0.
x
If authenticating multiple users per port, set multi-authentication the same way:
set multiauth port mode force-auth lag.0.
x
The exception to this is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt lag.0.
x') for Snooping ports as advised in
11759.
See also:
5882.