With Radius enforcement, the switch behaves differently to SNMP enforcement. As soon as the port goes down, the radius session is deleted and the port switches to unauthenticated mode. In unauthenticated mode, no data packets are allowed through, unless you allow outgoing packets to be allowed through to the WOL client via port XYZ with "aaa port-access XYZ controlled-direction in".
Furthermore, in this state, the ports are in the VLAN that was assigned according to the switch config. If you change the VLAN dynamically during dot1x authentication, the last known IP address will not be in the configured VLAN, but in the one that was set dynamically. In this case, the WOL packets are sent to the wrong VLAN and do not reach the clients.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 12, 2024 11:44 PM
From: shpat
Subject: 802.1X after shutdown of client
When you have your PC set on restricted VLAN (or Guest VLAN) are you allowing the WOL Port to be Permitted on ACLs?
It usually uses UDP ports 7 and 9, but you can verify it with Wireshark?
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases-
Original Message:
Sent: May 09, 2024 07:42 AM
From: steeve98
Subject: 802.1X after shutdown of client
Hello (newbie here)
I hope you are all doing well. I have a strange problem I need to resolve. We recently moved to 802.1x authentication instead of relying on our nac to respond to snmp traps and close a port. Everything went really smoothly, even though we are using some "old" J9298A's. The only thing I can't really solve is that we can't wake up our devices anymore, because after they shut down the port changes back to the guest vlan, which is only available locally on the switch. I know there is a setting to allow packets to egress by setting the control direction on unauthenticated ports, but I want to avoid this. This is because, on the one hand, the software that starts the WOL sends the packets to the last known IP and, on the other hand, I really want to keep the guest vlan bound only to the edge switch. We've also set the logoff time for our printers to solve their inactivity problem. I was hoping to do the same for our thin clients and Windows computers, but the sad thing is that both types of device disconnect their LAN port for 2 seconds when they shut down, and that is enough to close the session for the switch.
I'm really grateful for any help as I'm running out of ideas
Thanks in advance!