S3700 dot1x authenticate repeatedly

Latest reply: Sep 30, 2018 16:46:09 378 4 12 0
ssue Description

s3700 configuring 802.1x authentication with Micsoft NPS server , every 30s will do authentication again even already passed the authentication .

transparent.gif Alarm Information

debugging information as below:
JSJS01 RDS/7/debug2:
  Radius Received a Packet
  Server Template: 0
  Server IP   : 10.6.96.20
  Server Port : 1812
  Protocol: Standard
  Code    : 11
  Len     : 239
  ID      : 70
  [Session-Timeout                    ] [6 ] [30]
  [EAP-Message                        ] [157] [01 66 00 9b 19 80 00 00 00 91 16 03 01 00 51 02 00 00 4d 03 01 59 25 4d 36 8b 3f 95 74 fc 94 35 50 73 59 37 fc 40 ef 58 df e6 24 63 f3 bc 0d 8e 4b 3f 8a 08 79 20 7b 22 00 00 ac 42 29 f6 4f 07 c6 1e d2 a7 fd d7 f9 57 7c 38 81 21 28 b5 e8 ec e9 3f ae a6 86 77 c0 14 00 00 05 ff 01 00 01 00 14 03 01 00 01 01 16 03 01 00 30 27 78 20 69 38 4c 74 d4 04 19 2c 79 b5 20 0e 52 2c ce e9 3d 3e ef e2 bb cb 8b 1c e0 c1 0e 8b 62 66 80 8d 68 57 ca e4 b4 03 ab 1b 3e a3 63 fb a2 ]
  [State                              ] [38]
  [Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]

transparent.gif Handling Process

1、Check the s3700 configuration , it is correct ;

2、Analysis debugging info , user has passed the authentication ,but every 30S will trigger reauthentication ; 

3、Capturing pacekts find NPS server bring the session-timeout value is 30s in Chanllenge requestion packet , then ternimal will reauthentication every 30 second , and frequent re-authentication will cause authentication failed .



transparent.gif Root Cause

NPS server bring the session-timeout value is 30s in Chanllenge requestion packet , then ternimal will reauthentication every 30 second.

transparent.gif Solution

You can configure like below to ignore the session-timeout .
[HUAWEI] radius-server template skylark
[HUAWEI-radius-skylark] radius-server attribute translate
[HUAWEI-radius-skylark] radius-attribute disable Session-Timeout receive

  • x
  • convention:

Sergio93 Created Sep 8, 2018 15:07:00 Helpful(0) Helpful(0)

Thanks for sharing, really helpful.
  • x
  • convention:

BEST ANSWER! If you think I earn it!
If this post was useful to you, please click the Helpful button and flag my post as a "BEST ANSWER" so others can benefit. Thank you
Skay Created Sep 29, 2018 15:25:52 Helpful(0) Helpful(0)

I am very interested for this post, Thanks for you sharing . Through your case, you can quickly solve the same case and view the packet capture packet, which carries the session-timeout, which causes the client to re-authenticate.
  • x
  • convention:

Mark.hu Created Sep 30, 2018 16:04:25 Helpful(0) Helpful(0)

I have encountered this question about you. I have checked a lot of information, but I still have not answered this question clearly. Thank you for sharing this knowledge and solving my doubts. I hope that you can continue to update such knowledge points. Thank you. !
  • x
  • convention:

Barret Created Sep 30, 2018 16:46:09 Helpful(0) Helpful(0)

This is a good example of solving this kind of issue, but I think the NPS server sets the time out as 30 seconds is not a reasonable value, why the solution is not that change the time out value on the NPS server? How do you think my point?
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top