Hi Alan.
Yes I try with and without dot1x handshake. Same result.
Original Message:
Sent: Dec 02, 2024 07:59 AM
From: Alan Mercer 2
Subject: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping
Have you tried enabling dot1x handshake? The default setting is on.
Original Message:
Sent: Dec 01, 2024 02:15 PM
From: Unknown User
Subject: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping
Supplicant issue? Did your certificates change between these versions/deployments?
Original Message:
Sent: Nov 29, 2024 05:01 AM
From: GorazdKikelj
Subject: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping
Hi.
I observed a strange behavior on my 5140EI Comware switch with latest FW 7.10.R6351P02.
Using very simple dot1x authentication with certificate.
When I connect client to the port, authentication on Clearpass is successful, but in switch debug log report failure and authentication is repeated in never ending loop. If RADIUS server deny access, then it works as expected and no loop is observed.
The same configuration is working flawlessly on Clearpass 6.10 and 6.12. It only fails on 6.11.9 and 10. Before I jump on TAC, did anybody encounter something like that?
#
dot1x
dot1x authentication-method eap
dot1x quiet-period
dot1x retry 3
dot1x timer quiet-period 30
dot1x timer handshake-period 30
dot1x timer supp-timeout 10
dot1x timer tx-period 10
#
interface GigabitEthernet1/0/7
dot1x
undo dot1x handshake
dot1x mandatory-domain clearpass1-tacacs
undo dot1x multicast-trigger
dot1x unicast-trigger
dot1x guest-vlan 200
dot1x auth-fail vlan 300
dot1x critical vlan 1
#
radius scheme clearpass1
primary authentication x.x.x.x key cipher
primary accounting x.x.x.x key cipher
accounting-on enable
user-name-format without-domain
domain clearpass1-tacacs
authentication lan-access radius-scheme clearpass1 local
authorization lan-access radius-scheme clearpass1 local
accounting lan-access radius-scheme clearpass1 local
Here is switch debug log for one attempt.
*Nov 26 08:17:14:437 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authentication.
*Nov 26 08:17:14:437 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
*Nov 26 08:17:14:437 2024 HPE5140 DOT1X/7/EVENT: Received authentication response with code 0: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
*Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: BE is in Success state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
*Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: PAE is in Authenticated state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
*Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: Request clear all Oper-Vlan Vsi: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=7.
*Nov 26 08:17:14:439 2024 HPE5140 DOT1X/7/EVENT: BE is in Idle state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
*Nov 26 08:17:14:440 2024 HPE5140 RADIUS/7/EVENT: Sent reply message successfully.
*Nov 26 08:17:14:441 2024 HPE5140 DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/7.
Destination Mac Address=xyxx-xxxx-xxxx
Source Mac Address=xxxx-xxxx-xxxx
VLAN ID=1
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=4.
-----Packet Body-----
Code=3
Identifier=d
Length=4.
*Nov 26 08:17:14:443 2024 HPE5140 DOT1X/7/EVENT: Notify User Authenticated: UserMAC=xxxx.-xxxx-xxxx, VLANID=1, Interface=7.
*Nov 26 08:17:14:444 2024 HPE5140 DOT1X/7/EVENT: Sent authorization request: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
*Nov 26 08:17:14:444 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authorization.
*Nov 26 08:17:14:445 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully.
*Nov 26 08:17:14:469 2024 HPE5140 DOT1X/7/EVENT: AAA processed authorization request: Result= Failure, UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7
*Nov 26 08:17:14:475 2024 HPE5140 DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/7.
Destination Mac Address=yxxx-xxxx-xxxx
Source Mac Address=xxxx-xxxx-xxxx
VLAN ID=1
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=4.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
------------------------------