We are having intermittent issues where ports get blocked by 802.1x . This appears on different sites and sites report back to centralised NPS .
Focussed troubleshooting on one J9772A running YA.16.10.21 and saw the following:1) A device experiencing the issue (blocked by AAA), can move to a new port and be ok2) If a different device is used on the "bad-blocked" port it is also ok3) If the same (original blocked) device is moved back to the port that it was originally blocked on, it is still blocked4) Removing 802.1x on a port fixes the issue5) aaa port-access authenticator XX initialize (XX is just the port number) fixes the issue6) All Radius attempts go through the first off site radius server listed in the running config. The second radius server is not called7) Show port-access clients detailed XX shows the device as authenticated (and gives an ip address) even though show log -r will see the device blocked by AAA.
sh log -r | include port 30I 08/09/22 10:12:45 00435 ports: port 30 is Blocked by AAAI 08/09/22 10:12:33 00077 ports: port 30 is now off-lineI 08/09/22 09:52:58 00435 ports: port 30 is Blocked by AAAI 08/09/22 09:52:45 00077 ports: port 30 is now off-lineI 08/09/22 09:31:29 00435 ports: port 30 is Blocked by AAA
NPS server logs were checked and we could see that the blocked device authenticated successfully
Tried downgrading to YA.16.10.15 issue remains. Totally random across sites but the only resolution we have seen is "aaa port-access authenticator XX initialize"
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.