Port authentication issues 802.1x

[nodeisup]

I enabled port authentication on our customer switch with the radius. Port authentication works fine but currently I have two issues which I have to find a solution for that:

Issue 1:
However I defined a secondary radius server, when the primary server is disconnected from the network the switch does not sent an authentication request to the secondary radius server.

Issue 2:
Port authentication works just one time for a client which connected to the phone. It doesn't matter the authentication is successful or not. Detail:

When authentication is successful it is possible to disconnect the authorized client from the phones's LAN port and connect another client to it. In this case the port remain authorized for the old MAC and for new MAC address the switch does not send any new port authentication request.

When the MAC authentication is also unsuccessful, the switch does not send any new port authentication request and the port remain not authorized.

my configuration:


radius server host 10.11.11.169 retry 1 timeout 10
radius server host key "xxxxxx"
radius server host 10.11.10.250 secondary
!
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
no eapol multihost non-eap-pwd-fmt
eapol multihost non-eap-pwd-fmt mac-addr
eapol enable
!
interface fastEthernet 1-24
eapol status auto
eapol multihost allow-non-eap-enable
eapol multihost eap-mac-max 2
eapol multihost non-eap-mac-max 2
eapol multihost radius-non-eap-enable
eapol multihost enable
exit
!



Do you have any tip or suggestion?

Thanks.

[MatzeKS]

Hello nodeisup, in most of all typical forum environment it's very helpful to provide more details regarding affected hardware and running software to get any type of hints or help.

 

[nodeisup]

Oh, sorry. I totally forgot it to mention that.

The switch is a 4850GTS-PWR+ with software version of v5.6.3.024.

The Radius server is a Windows radius server.

Thanks

[MatzeKS]

we use those lines as our "default" - pls try:

!
radius-server password fallback
radius reachability use-radius
radius use-management-ip
!
mac-address-table aging-time 21601
!
interface FastEthernet ALL
eapol port 1-24  status auto re-authentication enable re-authentication-period 86400
exit
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost auto-non-eap-mhsa-enable
eapol multihost non-eap-phone-enable
eapol multihost non-eap-reauthentication-enable
interface FastEthernet ALL
eapol multihost port 1-24 enable eap-mac-max 3 allow-non-eap-enable non-eap-mac-max 3 radius-non-eap-enable non-eap-phone-enable
exit
no eapol multihost non-eap-pwd-fmt ip-addr
no eapol multihost non-eap-pwd-fmt port-number
!
eapol enable
!

[nodeisup]

Dear MatzeKS,

is my configuration for secondary radius server correct?

[MatzeKS]

... secondary Radius looks good 

[nodeisup]

thank you for your help.

For the secondary server I found the problem which I had!

The switch sends radius requests to secondary server after 2:30 minutes. In my past tests I waited for a fast switching between primary/secondary servers.

I added 60 seconds timeout for the primary server but the it takes again same time for switching.