cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x failing but radius authentication succeeded

Mario_Salhab
New Contributor II
Hello,

I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.

Thanks
Mario
13 REPLIES 13

Jaroslav_Stefan
New Contributor II
You must specify the very same vlan tag and name which was was previously defined in the radius server. This vlan must be present in switch as well. Also I would suggest to use configuration without no-restart port options (but it depends on your conditions). In previous version of XOS there were some serious issues with reauth process on the some port (e.g. plug in the same cable to the port) and it results in auth error. But it is true that this issues were succesfully repaired somewhere in 09-10/2017.

Mario_Salhab
New Contributor II
Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

ive tried that and still nothing...

the config looks good. did you try to test with a vlan that doesn't contain dashes "-" in the name? Try for instance the default vlan first.