Reset Search
 

 

Article

VM's does not pass dot1x authentication after VM reboot

« Go Back

Information

 
TitleVM's does not pass dot1x authentication after VM reboot
Symptoms
  • Multiple VM’s are running in ESX server and are authenticated via dot1x, the port mode is mac-based-vlans.
  • Initial Authentication up on connecting the port is successful but when one of the VM is rebooted dot1x user is put into failed state. 
  • Failed network agents not ageing out. Also, the failed dot1x agents fail to authenticate on multi user ports.
  • The reported is not seen in EXOS 15.7.1.4
Environment
  • Summit X460G2-24p-10G4
  • EXOS 21.1.1.4 patch1-5
  • EXOS 21.1.1.4-patch1-2
  • EXOS 16.1.3.6 patch1-8

 
Cause
  • Once the VM comes up after reboot (10:08:48.85) the dot1x authentication fails for the same user but user did not made a log in attempt.
06/21/2016 10:08:48.85 <Info:nl.ClientReAuth> Slot-1: Network Login user UNE\lhazel2 unauthenticated as reauthentication failed, Mac 00:0C:29:DD:FD:11 port 1:2 VLAN(s) "<unknown>"
  • After the above the same user tries to log in but authentication does not happen and the NIC stays in “authentication failed” state.
  • The dot1x failed state is not getting cleared in the switch even after the aging time set to 1 minute with the command  “configure netlogin agingtime 1.
  • The output of the below command is also contradicting with the actual state of the dot1x client.  

Slot-1 ec-xs-c34-5.9 # show netlogin port 1:2
####outputs truncated are available in the attachment#################
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
00:0c:29:dd:fd:11  0.0.0.0          Yes, Radius       802.1x  0              UNE\lhazel2     >>>>>>>>>>>>>>>>>  This entry is not seen in 15.7 as soon as the PC reboots and fails authentication this entry is removed.
00:0c:6c:09:e9:5e  0.0.0.0          Yes, Radius       802.1x  3803           lhazel2@une.edu.au

  •  The workaround for this is to “clear netlogin state mac-address <MAC address>“ before the user makes the login attempt to the VM which is not feasible.  

Slot-1 ec-xs-c34-5.9 # show netlogin session ports 1:2
Port            : 1:2         Station address   : 00:0c:29:dd:fd:11
Auth status     : failed      Last attempt      : Tue Jun 21 10:08:48 2016
Agent type      : dot1x       Session applied   : false
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 0           Policy name       : No Policy applied
Session timeout : 0           Session duration  : 0:00:00
Idle timeout    : 0           Idle time         : 0:00:00

  • If the cable is unplugged and plugged back again the authentication is successful.
06/21/2016 10:05:14.17 <Info:nl.ClientAuthenticated> Slot-1: Network Login 802.1x user UNE\lhazel2 logged in MAC 00:0C:29:DD:FD:11 port 1:2 VLAN(s) "<unknown>", authentication Radius
 

Outputs taken in 15.7 (Non-Issue State):
 
X460G2-24p-10G4.44 # show netlogin dot1x
NetLogin Authentication Mode : web-based DISABLED;  802.1x ENABLED;  mac-based DISABLED
NetLogin VLAN                : "nlvlan"
NetLogin move-fail-action    : Deny
NetLogin Client Aging Time   : 1 minutes
Dynamic VLAN Creation        : Disabled
Dynamic VLAN Uplink Ports    : None
Authentication Protocol Order: 802.1x, web-based, mac-based (default)
 ------------------------------------------------
        802.1x Mode Global Configuration
------------------------------------------------
Quiet Period                    : 60
Supplicant Response Timeout     : 30
Re-authentication period        : 3600
Max Re-authentications          : 3
RADIUS server timeout           : 30
EAPOL MPDU version to transmit  : v1
Authentication Database         : Radius
------------------------------------------------
 Port: 2,  Vlan: nlvlan,  State: Enabled,  Authentication: 802.1x
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
 
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
 
Port: 3,  Vlan: Default,  State: Enabled,  Authentication: 802.1x
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC                IP address       Authenticated     Type    ReAuth-Timer   User    >>>>>>>>>>>>>>>>>>>>>>>>>>>>> The dot1x user entry is cleared automatically
00:04:f2:a0:a4:27  0.0.0.0          No                802.1x  0
00:26:b9:c7:43:5b  0.0.0.0          No                802.1x  0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
 Number of Clients Authenticated  : 0
 
 Outputs taken in 21.x (Issue State):
X460G2-24p-10G4.18 # show netlogin port 3
Port                          : 3
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : Default
Authentication                : 802.1x
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 1024 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 0 (Policy Enabled only)
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        802.1x Port Configuration
------------------------------------------------
Quiet Period                  : 60
Supplicant Response Timeout   : 30
Re-authentication             : On
Re-authentication period      : 3600
Max Re-authentications        : 3
RADIUS server timeout         : 30
Guest Vlan                    : Disabled
------------------------------------------------
        Netlogin Clients
------------------------------------------------
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
00:04:f2:a0:a4:27  0.0.0.0          No                802.1x  0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port                          : 3
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : staff
Authentication                : 802.1x
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 1024 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 0 (Policy Enabled only)
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        802.1x Port Configuration
------------------------------------------------
Quiet Period                  : 60
Supplicant Response Timeout   : 30
Re-authentication             : On
Re-authentication period      : 3600
Max Re-authentications        : 3
RADIUS server timeout         : 30
Guest Vlan                    : Disabled
------------------------------------------------
        Netlogin Clients
------------------------------------------------
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
00:26:b9:c7:43:5b  0.0.0.0          Yes, Radius       802.1x  0              ENI-TAC\taclab    <<<<<<<<<<<<< This entry is not cleared where as in 15.7 it is cleared.
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated  : 1

Resolution
  • On further investigation by our engineering team, it seems that the issue has been triggered because of NetLogin state for problematic client stuck in “connecting” state after reboot.
  • The issue can be seen with just user logout as well and it looks to match with the existing CR# xos0063194.

Logs:
* X460G2-24p-10G4.9 # sh netlogin dot1x detail
MAC
00:26:b9:c7:43:5b   : IP=0.0.0.0         Auth=Yes  User=ENI-TAC\taclab
                    : AuthPAE state=CONNECTING BackAuth state=IDLE
                    : ReAuth time left=0       ReAuth count=4
                    : Quiet time left=0

xos0063194 – “Dot1x authentication fails after rebooting the client when it is connected via IP phone”

The reported issue fixed in following EXOS releases:

  • EXOS 16.1.4.2
  • EXOS 16.2.2 (patch not yet released)
  • EXOS 21.1.2.14 patch1-2
  • EXOS 22.1.1 
For further information, please contact GTAC for assistance.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255