Why does a client go offline 10 seconds after it passes 802.1x authentication on the switch

3

If handshake with online 802.1x users is enabled on the switch, the switch sends handshake packets to a client after the client is authenticated. If the client sends no handshake packet to the switch, the switch forces the client offline.

The client goes offline 10 seconds after it is authenticated. This may be caused by a handshake failure. In this case, run the undo dot1x handshake command in the system view to disable the handshake function.

Other related questions:
Clients pass 802.1x authentication on an S series switch, and are disconnected after 10 seconds
For S series switches except S1700 switches, if handshake with online 802.1x users is enabled on a switch, the switch sends handshake packets to a client after the client is authenticated. If the client does not respond to the handshake packets, the switch forces the client offline. The client goes offline 10 seconds after it is authenticated. This may be caused by a handshake failure. In this case, run the undo dot1x handshake command in the system view to disable the handshake function.

A user goes offline shortly after passing 802.1x authentication on an S series switch
For S series switches (except the S1700), possible reasons why a user goes offline in a short period or frequently goes offline after the user passes 802.1x authentication are as follows: 1. If handshake with online users is enabled on a switch (to detect whether the users are online), the switch periodically sends handshake request packets to users. A user client that does not support the handshake function does not respond to the packets. The switch considers that the user is not online and disconnects the user from the network. To solve this problem, run the undo dot1x handshake command to disable the device from sending handshake packets to online 802.1x authentication users. 2. If the handshake interval is short, you can run the dot1x timer command to configure a proper handshake interval and timeout interval. 3. An accounting server is configured for 802.1x authentication users connected to a switch. When a user goes online, the switch sends an accounting-start request packet to the accounting server. If the switch does not receive an accounting-start response packet from the server due to network faults, accounting fails to start and the switch forces the user offline. To solve this problem, run the accounting start-fail online command to keep users online if accounting fails.

Configure the time period when idle users go offline
For WLAN devices, if a user produces a little or no network traffic for a long time after going online, the user still occupies certain bandwidth, which reduces the access rate of other users. In this case, the idle-cut function can be configured to disconnect the users whose traffic volume stays below the traffic threshold within the idle time. This function reduces resource waste and improves Internet access experience of other users. The configuration is as follows:
1.  Enter the AAA authentication scheme view, and configure the idle-cut function and related parameters. 
<AC6605> system-view
[AC6605] aaa
[AC6605-aaa] service-scheme huawei
[AC6605-aaa-service-huawei] idle-cut 1 10  //Set the idle-cut interval to 1 minute and the traffic threshold to 10 kbit/s.
[AC6605-aaa-service-huawei] quit
2. Enter the AAA domain view, and enable traffic statistics collection.
[AC6605-aaa] domain huawei
[AC6605-aaa-domain-huawei] statistic enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top