Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



EX3400 - 20.4R3 - Dot1x reauth for guests

This thread has been viewed 14 times
  • 1.  EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 05-16-2022 07:40

    Hello,

    Users are returning to the office and everything works just fine except that i noticed an issue with dot1x for our EX3400 switches and guest users..

    Whenever guests are connected to our wired network they get denied and put on the guest VLAN, however it seems that the connection drops every 10 minute and they start connecting again and this continues on and on. 

    When on guest Wi-Fi the issues is not occuring but then again it's an separate guest SSID.

    I've looked trough my configuration and can't find the issue.. 

    Please see following example:

    show configuration protocols dot1x
    traceoptions {
    file dot1x-log size 5m;
    flag all;
    }
    authenticator {
    authentication-profile-name AccessProfile-60;
    interface {
    Klient {
    supplicant multiple;
    retries 4;
    quiet-period 3;
    transmit-period 30;
    reauthentication 3600;
    supplicant-timeout 30;
    server-timeout 30;
    maximum-requests 2;
    guest-vlan tele;
    server-fail permit;
    }
    }
    }
    


    And when viewing the interface:

    show dot1x interface ge-9/0/12 detail
    ge-9/0/12.0
      Role: Authenticator
      Administrative state: Auto
      Supplicant mode: Multiple
      Number of retries: 4
      Quiet period: 3 seconds
      Transmit period: 30 seconds
      Mac Radius: Disabled
      Mac Radius Restrict: Disabled
      Reauthentication: Enabled
      Reauthentication interval: 3600 seconds
      Supplicant timeout: 30 seconds
      Server timeout: 30 seconds
      Maximum EAPOL requests: 2
      Guest VLAN member: tele
      Number of connected supplicants: 1
        Supplicant: No User, 10:62:E5:A6:53:C9
          Operational state: Authenticated
          Backend Authentication state: Idle
          Authentication method: GuestVlan
          Authenticated VLAN: tele
          Session Reauth interval: 3600 seconds
          Reauthentication due in 0 seconds
          Eapol-Block: Not In Effect
    
    


    And some trace logs regarding the interface (20 minutes of logs capturing the specified interface and 2 periods of auth)

    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:41:38.083282 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 11:51:07.946739 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:07.947102 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:07.948314 PnacAuthAsmMakeConnecting:1984 Deleting Dynamic filter dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9
    May 16 11:51:07.949821 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 11:51:07.950229 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:07.950411 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:07.950707 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:07.967214 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:07.967621 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:07.969131 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:07.969307 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.085055 pnac_ifbd_delete: ifbd deleted sucessfully for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 11:51:08.087328 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:51:08.087511 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 11:51:08.311400 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.312343 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.314111 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 11:51:08.314461 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.315162 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.315378 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.350933 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:08.351328 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:08.352846 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:08.353074 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.541308 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.542475 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.542975 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 11:51:08.543298 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.543956 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.544135 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.572556 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:08.572923 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:08.574440 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:08.574684 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.749064 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.750669 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.751884 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.770925 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:14.729652 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:14.731016 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 11:51:14.731322 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:14.731853 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:19.914244 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:19.914440 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:24.738314 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:25.136050 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:27.633712 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:27.633962 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:30.295756 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:30.296036 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:35.146230 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:35.643134 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:41.118384 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:41.118591 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:44.732351 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 1 Max Req 2
    May 16 11:51:44.732409 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 11:51:44.732788 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:44.733320 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:45.649877 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:46.144505 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:51.705861 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:51.706117 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:56.155286 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:58.028615 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:00.499727 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:00.499963 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:08.039836 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:08.395053 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:14.260259 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:14.260452 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:14.743463 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 2 Max Req 2
    May 16 11:52:14.743514 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 11:52:14.743839 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:52:14.744365 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:52:18.399687 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:20.711392 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:25.739859 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:25.740106 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:30.640862 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:30.641069 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:30.712274 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:31.131978 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:36.311108 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:36.311332 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:41.135075 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:41.606638 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:44.751601 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 3 Max Req 2
    May 16 11:52:44.751650 Captive portal is not enabled for interface:ge-9/0/12.0
    May 16 11:52:44.752659 pnac_get_filter_term:1206 Term: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9 Filter op:0, Term op:0 Prev term name:
    May 16 11:52:44.753240 CP_DEBUG:install_cp_filters:409: term being added: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9.
    May 16 11:52:44.754167 Adding and attaching filter:dot1x_ge-9/0/12 to interface:ge-9/0/12.
    May 16 11:52:44.754573 GUESTVLAN: Non-responsive host \x10b▒S▒ \x01▒*f on port ge-9/0/12.0moved to Guest VLAN tele
    May 16 11:52:44.783903 pnac_ifbd_create ifl ge-9/0/12.0 bd 4 vlan 103
    May 16 11:52:44.785515 pnac_ifbd_update_flags: ifbd sucess for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 11:52:44.785771 pnac_pvlan_bd_lookup(PVLAN)  primary bd 4 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:44.893672 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:52:44.893873 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 12:01:08.805404 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:08.805876 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:08.807167 PnacAuthAsmMakeConnecting:1984 Deleting Dynamic filter dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9
    May 16 12:01:08.807800 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 12:01:08.808745 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:08.809062 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:08.809359 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:08.822404 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:08.822818 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:08.824360 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:08.824538 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:08.982677 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 12:01:08.982938 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 12:01:08.983226 pnac_ifbd_delete: ifbd deleted sucessfully for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 12:01:09.236381 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.237247 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.239080 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 12:01:09.239504 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.240126 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.240317 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.252343 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:09.252677 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:09.254467 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:09.254683 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:09.430177 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.431104 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.431682 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 12:01:09.432046 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.432641 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.432890 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.444918 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:09.445234 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:09.446696 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:09.446860 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:09.623156 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.624018 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.624474 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 3 Reauth Count 0
    May 16 12:01:09.624798 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.625448 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.625659 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.731040 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:15.642900 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:15.643093 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:19.731707 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:20.697716 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:26.046450 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:26.046655 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:30.706630 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:31.190607 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:33.973228 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:33.973421 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:37.132645 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:37.132846 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:39.634873 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 4 Max Req 2
    May 16 12:01:39.634940 Captive portal is not enabled for interface:ge-9/0/12.0
    May 16 12:01:39.636157 pnac_get_filter_term:1206 Term: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9 Filter op:0, Term op:0 Prev term name:
    May 16 12:01:39.636764 CP_DEBUG:install_cp_filters:409: term being added: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9.
    May 16 12:01:39.637397 Adding and attaching filter:dot1x_ge-9/0/12 to interface:ge-9/0/12.
    May 16 12:01:39.637756 GUESTVLAN: Non-responsive host \x10b▒S▒ \x01▒*f on port ge-9/0/12.0moved to Guest VLAN tele
    May 16 12:01:39.685131 pnac_ifbd_create ifl ge-9/0/12.0 bd 4 vlan 103
    May 16 12:01:39.685222 pnac_ifbd_update_flags: ifbd sucess for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 12:01:39.685389 pnac_pvlan_bd_lookup(PVLAN)  primary bd 4 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:39.787017 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 12:01:39.787317 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    

    Lastly i'll include a PCAP picture from the NPS server:



    ------------------------------
    Andreas
    ------------------------------