Reset Search
 

 

Article

EAP Clients periodically get put into "held" state

« Go Back

Information

 
TitleEAP Clients periodically get put into "held" state
Symptoms
  • MAC on port 1/32 stuck in Held state and comes up as unauthenticated/rejected
  • Every re-authentication for the PC on port 1/32 yielded QoS error log stating there are no available resources to install the UBP, although there were plenty


 
ERS(config)#show eap sess

---------------------------- EAP Clients -----------------------------------
Unit/Port Client MAC Address Pae State      Backend Auth State Vid  Pri
--------- ------------------ -------------- ------------------ ---- ---
1/32      xx:xx:xx:xx:xx:xx  Held           Idle               N/A  N/A


-------------------------- Unauthorized Clients ----------------------------
Unit/Port Client MAC Address Type           Radius Status
--------- ------------------ -------------- ------------------------------
1/32      64:00:6A:5D:6F:5E  Intruder       Reject
Total number of DHCP authenticated phones: 0
Total number of EAP authenticated clients: 21
Total number of non-EAP authenticated clients: 41
Total number of unauthenticated clients: 1
 
ERS# show log so

I    1    2020-01-24 10:39:01 GMT-04:00 49555     Trap:  bsnEapUbpFailure

I    1    2020-01-24 10:39:01 GMT-04:00 49556     EAP: Failed qpa-RoleAssociation on port: 1/32, MAC xx:xx:xx:xx:xx:xx

I    1    2020-01-24 10:40:01 GMT-04:00 49557     User policy filter set element count exceeds available resources

I    1    2020-01-24 10:40:01 GMT-04:00 49558     Unable to apply pre-defined UBP filter set to new user (port 1/32)



 
Environment
  • ERS 4850
  • Software version 5.12.5
Cause
PC on port 1/32 was being wrongfully rejected because its UBP could not be installed due to some leftover data in QoS prior to UBP installation for the PC and not for any other device.
Resolution
  • Group the UBP rules in a single block to avoid taking up 6 precedences when installing the PC's policy. This will prevent interference with other applications such as DHCP snooping which utilize filters, as UBP requires a continuous space of free precedences to successfully install.
  • All PC UBP rules in a single block to occupy just one precedence.
  • Reboot the switch/stack or bounce "qos agent ubp policy" after the change, the former is the preferred method


    Before config optimization and show qos show command  -
     
    qos agent ubp high-security-local
    qos ubp classifier name test addr-type ipv4 protocol 1 drop-action disable eval-order 30
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x./23 protocol 6 dst-port-min 80 dst-port-max 80 drop-action disable eval-order 31
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x.x/23 protocol 6 dst-port-min 443 dst-port-max 443 drop-action disable eval-order 32
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x.x/24 drop-action disable eval-order 33
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/16 dst-ip x.x.x.x/16 drop-action enable eval-order 200
    qos ubp classifier name test drop-action disable eval-order 255
    qos ubp classifier name voice addr-type ipv4 vlan-min 220 vlan-max 220 vlan-tag untagged ethertype 0x800 drop-action disable update-dscp 46 update-1p 6 eval-order 4
    qos ubp set name test set-priority 1 track-statistics individual
    qos ubp set name voice set-priority 1 track-statistics aggregate
    

    Qos command output showing 6 QoS precedences occupied by UBP policies when an EAP client
     
    ERS4850(config)#sh qos diag
    
    Unit/Port                      Mask Precedence Usage
               16  15  14  13  12  11  10   9   8   7   6   5   4   3   2   1
    --------- ---------------------------------------------------------------
    1/1         AR  DH                                                  Q   Q
    1/2         AR  DH                                                  Q   Q
    1/3         AR  DH                                                  Q   Q
    1/4         AR  DH                                                  Q   Q
    1/5         AR  EA  DH  Q   Q   Q   Q   Q   Q                       Q   Q
    1/6         AR  EA  DH                                              Q   Q
    1/7         AR  DH                                                  Q   Q

    Config modified by adding block 1 before any eval-order attribute  to avoid conflicts with any other feature
     
    qos ubp classifier name test addr-type ipv4 protocol 1 drop-action disable block 1 eval-order 30
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x.x/23 protocol 6 dst-port-min 80 dst-port-max 80 drop-action disable block 1 eval-order 31
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x.x/23 protocol 6 dst-port-min 443 dst-port-max 443 drop-action disable block 1 eval-order 32
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/23 dst-ip x.x.x.x/24 drop-action disable block 1 eval-order 33
    qos ubp classifier name test addr-type ipv4 src-ip x.x.x.x/16 dst-ip x.x.x.x/16 drop-action enable block 1 eval-order 200
    qos ubp classifier name test drop-action disable block 1 eval-order 255
    qos ubp classifier name voice addr-type ipv4 vlan-min 220 vlan-max 220 vlan-tag untagged ethertype 0x800 drop-action disable update-dscp 46 update-1p 6 block 1 eval-order 4
    qos ubp set name test set-priority 1 track-statistics individualqos ubp set name voice set-priority 1 track-statistics aggregate

    To verify the result of the change, authenticate EAP client (shut/no shut on the port) that matches the "test" policy, only 1 QoS precedence is set
     
    ERS4850(config)#sh qos diag
    
    Unit/Port                      Mask Precedence Usage
               16  15  14  13  12  11  10   9   8   7   6   5   4   3   2   1
    --------- ---------------------------------------------------------------
    1/1         AR  DH                                                  Q   Q
    1/2         AR  DH                                                  Q   Q
    1/3         AR  DH                                                  Q   Q
    1/4         AR  DH                                                  Q   Q
    1/5         AR  EA  DH  Q                                           Q   Q
    1/6         AR  EA  DH                                              Q   Q
    1/7         AR  DH                                                  Q   Q
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255