We are having intermittent issues where ports get blocked by 802.1x . This appears on different sites and sites report back to centralised NPS .
Focussed troubleshooting on one J9772A running YA.16.10.21 and saw the following:
1) A device experiencing the issue (blocked by AAA), can move to a new port and be ok
2) If a different device is used on the "bad-blocked" port it is also ok
3) If the same (original blocked) device is moved back to the port that it was originally blocked on, it is still blocked
4) Removing 802.1x on a port fixes the issue
5) aaa port-access authenticator XX initialize (XX is just the port number) fixes the issue
6) All Radius attempts go through the first off site radius server listed in the running config. The second radius server is not called
7) Show port-access clients detailed XX shows the device as authenticated (and gives an ip address) even though show log -r will see the device blocked by AAA.
eg.
sh log -r | include port 30
I 08/09/22 10:12:45 00435 ports: port 30 is Blocked by AAA
I 08/09/22 10:12:33 00077 ports: port 30 is now off-line
I 08/09/22 09:52:58 00435 ports: port 30 is Blocked by AAA
I 08/09/22 09:52:45 00077 ports: port 30 is now off-line
I 08/09/22 09:31:29 00435 ports: port 30 is Blocked by AAA
NPS server logs were checked and we could see that the blocked device authenticated successfully
Tried downgrading to YA.16.10.15 issue remains. Totally random across sites but the only resolution we have seen is "aaa port-access authenticator XX initialize"