Hi,

In OAC logs, I can see switch sending EAP-FAILURE.

Snippet..

--------------------------------------------------------------------------

00172,09 2012/06/03 13:07:24.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Discarding EAPOL packet: unknown packet type 1

...

00216,09 2012/06/03 13:07:26.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Cannot set master key: authentication not complete or method does not support session keys

...

00178,09 2012/06/03 13:07:30.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [NRM] Processing EAP-Failure: code = 4, id = 9, length = 7

00132,09 2012/06/03 13:07:30.046 4 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5428 - 'odService' STATE_Auth() 3

00156,09 2012/06/03 13:07:30.046 3 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5496 - 'odService' Supplicant state: authentication failed

---------------------------------------------------------------------------

This could be a switch issue! However, there is no synchronised logs provided(UAC, OAC, Sniffer capture taken together at the same time-stamp).

Regards,

Raveen

I was able to collect the logs from MAG, OAC, and the captured traffic from the switch and at the same time.

attached are the logs

Regards

Mahmoud

Hi Mahmoud,

This looks like a switch issue, as it sends EAP-FAILURE, even after receiving ACCESS-ACCEPT.

Below are the snippet for reference:

------------------------------------------------------------------------------

User Access Log:

2012-06-04 14:14:55 - ic - [0.0.0.0] test(Allowed-Realm)[] - Radius authentication accepted for test (realm 'Allowed-Realm') from location-group 'tel Location Group' and attributes are: NAS-IP-Address = 172.16.10.11,NAS-Port = 12398,NAS-Port-Type = 15

Radius Trouble shooting log:

info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Authentication Response
info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Packet : Code = 0x2 ID = 0x3c

Switch Capture:

Frame 86 --> ACCESS-ACCEPT from MAG Device

Frame 116 --> EAP Failure from switch to Cleint

After getting Acces-Accept, switch is not responding to the client, after twenty seconds, client is sending new EAPOL start message.

Regards,

Raveen

Note: If I have answered your questions, you could mark this as accepted solution, that way it would help others as well. A kudo would be a bonus thanks!

It is pretty much a switch issue, given that, it is sending EAP-FAILURE, albeit receving ACCESS-ACCEPT. Also, EAP-ID that it is using is also wrong, I reckon!

However, I would also try increasing authPeriod to eliminate timing isues. For testing purpose, can you increase the authperiod timeout in OAC.

HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\authPeriod

Default values is 20 seconds, try increasing it to 60

Regards,

Raveen

Forgot to add that changes to the registry requires reboot of the machine.

Regards,

Raveen

Hello Raveen

thank you for your posts, i tried what you suggested but i got the same responce.

so why the switch is refussing the EAP messages?

Regards

Mahmoud

Well if it is not a timing issue, then you will have to work with your switch vendor on this.

You could provide the analysis that we have provided.

Regards,

raveen