Ethernet Switching
Highlighted
Ethernet Switching

dot1x to long reconnect

‎03-23-2016 07:48 AM

Hi

I have EX4200. All the necessary settings for work dotx are made.

When i first time plugged to dot1x port any devices authentication occurs fast. When i do administrative down that dot1x interface a lot time is  state "connecting".  Over some times (about 5-10 minuts) port successful authentificate. In logs files no messages when occurs state "connecting" 

[edit interfaces ge-0/0/6]
#set disable
[edit interfaces ge-0/0/6 unit 0]
#set disable
[edit interfaces ge-0/0/6 unit 0]
#commit confirmed 1
# run show dot1x interface
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/1.0    Authenticator  Initialize
ge-0/0/2.0    Authenticator  Initialize
ge-0/0/3.0    Authenticator  Initialize
ge-0/0/4.0    Authenticator  Initialize
ge-0/0/5.0    Authenticator  Initialize
ge-0/0/6.0    Authenticator  Connecting

 Why it is occours? 

9 REPLIES 9
Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-23-2016 11:03 PM

Hi,

 

I'm not sure if this one is related to this PR1127566

 

To make sure, try this workaround:

Enable dot1x feature without using "set protocol dot1x interface all". This should ensure dot1x to operate consistently.

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-24-2016 12:58 AM

Thank you for this problem report. It is very similar. But i no used configuration command "protocols dot1x authenticator interface all"  and  core dump file is clear.

 My configuration below

interfaces {
    interface-range interface_access {
        member-range ge-0/0/0 to ge-0/0/21;
        description DOT1X;
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan300;
                }
            }
        }
    }
.........................

protocols {
    dot1x {
        authenticator {
            authentication-profile-name dot1x-profile;
            interface {
                ge-0/0/0.0 {
                    ##
                    ## Warning: Interface must be defined in the interfaces hierarchy with family ethernet-switching
                    ##
                    disable;
                }
                ##
                ## Warning: Interface must be defined in the interfaces hierarchy with family ethernet-switching
                ##
                ge-0/0/6.0;
                ##
                ## Warning: Interface must be defined in the interfaces hierarchy with family ethernet-switching
                ##
                ge-0/0/10.0;
                ##
                ## Warning: Interface must be defined in the interfaces hierarchy with family ethernet-switching
                ##
                ge-0/0/21.0;
                interface_access {
                    supplicant multiple;
                    quiet-period 3;
                    mac-radius;
                    reauthentication 3600;
                    supplicant-timeout 5;
                    server-timeout 1;
                    maximum-requests 7;
                    guest-vlan vlan7;
                }
            }
        }
    }

For me not clear, what do if necessary all interface for dot1x authentificate?

 

If i do up/down dot1x interface, that interface at once in this state and is a long time (about 5 minuts), and then successful authenticate

ge-0/0/6.0    Authenticator  Connecting      00:E1:75:01:1F:3F    No User

 

 

Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-24-2016 04:11 AM

Not sure your situation but if takes approximately 5 mins it sounds like FDB MAC age-out maybe what triggers the re-auth to function.  Might suggest you change that timer (should be non-service impacting) and see if test results change.  If indeed does follow, may help you get to the bottom.

 

Just an FYI.

Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-24-2016 04:32 AM

Sorry, about triggers (timer) you tell? Are you can tell more detail, please?

Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-24-2016 04:36 AM

I believe default MAC/FDB aging timer for Junos/EX is 300 seconds or 5 minutes.  What is this, see here:

 

http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/bridging-mac-aging.html

Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎03-24-2016 05:40 AM

hmm ... If i true undestand parametr mac-table-aging-time specify aging time, i.e. time afet wich than mac address will be delete from ethernet-switching table  (mac-address table).

When dot1x (mac) authentification enable per port, port closed for any traffic. When plugged device to dot1x port, switch waiting (It expects a period of time specified in the port configuration) EAPOL packet in from device. If EAPOL packet not received, switch study mac address device and used him as login/password for authentication. But I do not use such big timers.

In dot1x logs files no messages in it time. 

Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎12-19-2016 01:01 PM

Did you ever get this figured out?

I have the same issue, or similar. The first time I connect a client, it authenticates fast, but if the client disconnects (reboots for example) then 'show dot1x interface" shows that port connecting for a long time. In my case the authentication never happens on its own.

Ethernet Switching

Re: dot1x to long reconnect

‎12-19-2016 08:50 PM

try enabling traceoptions and see if logs any information

set protocols dot1x traceoptions file dot1x-trace
set protocols dot1x traceoptions flag all

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: dot1x to long reconnect

‎09-12-2017 05:55 AM

HI

 

Did you ever resolve this issue?

 

Thanks

Simon

Feedback