Ethernet Switches & Routers

Reply
pkn
Occasional Contributor
Posts: 6
Registered: ‎06-07-2012

No Multi-Device Port Authentication on reload

Hi there forum,

I've been busy with 802.1x authentication for wireless clients and MAC authentication for wired users. The intention (for the wired part at least) is that a station can be either authenticated for use of the managed or unmanaged vlan or fail over to a registration vlan in which the user can choose to register for the unmanaged vlan.

For the wired part we use Brocade WS switches with the following config:

=====================snip===========================

Current configuration:

!

ver 04.3.03T7e1

!

module 1 fwsl00m-48-port-copper-base-module

!

!

!

!

vlan 1 name DEFAULT-VLAN by port

!

vlan 9 name CB by port

tagged ethe 0/1/1 ethe 0/1/3

untagged ethe 0/1/2

!

vlan 91 name CB-Gast by port

tagged ethe 0/1/1 ethe 0/1/3

!

vlan 99 name Quarantaine by port

tagged ethe 0/1/1 ethe 0/1/3                                   

untagged ethe 0/1/5

!

!

!

!

!

!

!

!

hostname radtest

ip address 10.0.9.47 255.255.0.0

no ip dhcp-client enable

radius-server host 10.0.9.78 auth-port 1812 acct-port 1646 default

radius-server key 1 XXXXXXXXXXX

mac-authentication enable

mac-authentication auth-fail-vlan-id 99

interface ethernet 0/1/1

dual-mode

!

interface ethernet 0/1/2

mac-authentication enable

mac-authentication auth-fail-action restrict-vlan

mac-authentication auth-timeout-action failure                 

mac-authentication enable-dynamic-vlan

!

!

!

!

!

!

!

end

=========================snap===========================

When a client is connected to eth 0/1/2 there is a readius request, the radius server replies with vlan 9, 91 or even 99 and the port is placed in the intended vlan. No problem there.

The problem is a reload or power cycle. After the switch had booted the port is placed in vlan 99 (the auth-fail vlan) but no authentication attempt is done. I know... in a perfect world a switch should not reboot... but unfortunately the world isn't perfect... reboots happen.

How can I make the switch authenticate after a reboot?

Regards..... Peter

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: No Multi-Device Port Authentication on reload

Hi PKN,

     Suggest you try the re auth command. Enter the below and see if that works.

Brocade#dot1x re-authenticate e 0/1/2

If that gets you going I would then the Periodic re-auth below.

Configuring periodic re-authentication

You can configure the device to periodically re-authenticate Clients connected to 802.1X-enabled interfaces. When you enable periodic re-authentication, the device re-authenticates Clients every 3,600 seconds by default. You can optionally specify a different re-authentication interval of between 1 – 4294967295 seconds.

To configure periodic re-authentication using the default interval of 3,600 seconds, enter the following command.

Brocade(config-dot1x)#re-authentication

Syntax: re-authentication

To configure periodic re-authentication with an interval of 2,000 seconds, enter the following commands.

Brocade(config-dot1x)#re-authentication

Brocade(config-dot1x)#timeout re-authperiod 2000

Syntax: timeout re-authperiod <seconds>

The re-authentication interval is a global setting, applicable to all 802.1X-enabled interfaces. To re-authenticate Clients connected to a specific port manually, use the dot1x re-authenticate command.


Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.