Since few months, I working to deploy the security protocol 802.1x on wired network of enterprise. It's work well, but since two weeks one of our switches is not more able to authenticate users.
It's a DELL PowerConnect 5548p - firmware version 126.96.36.199
I get the same message in logs for every try:
Warning %SEC-W-SUPPLICANTUNAUTHORIZED: MAC <MAC_ADDRESS> was rejected on port gi1/0/1 because Radius API returned error (e.g. No Radius server is configured)
Whereas the radius server are configured, there can ping and servers are ok: there works well with other switches
IP address Port port Time- Ret- Dead- source IP Prio. Usage
Auth Acct Out rans Time
--------------- ----- ----- ------ ------ ------ --------------- ----- -----
<IP_Server1> 1812 1813 Global Global Global Global 0 all
<IP_Server2> 1812 1813 Global Global Global Global 1 all
TimeOut : 1
Retransmit : 4
Deadtime : 10
Source IP : 0.0.0.0
Source IPv6 : ::
I try to remove then re-add servers or reboot switches: not better.
Do you have any idea ?
Solved! Go to Solution.
Does radius work still even though you get the message? Is the radius server on the same VLAN? It does look like the source ip is missing, that should have a value.
Thanks for your message.
Yes, radius servers are still up (working for other switches on the network) but any message on the windows event viewer for this switch.
They are on the same VLAN. For the result of the command show radius-servers, I just changed the ip of servers (I edited the previous post for simplify).
It looks like the switch think there is no radius server on the config whereas there are here. Does the switch have a cache and by the timeout, thinks servers are still down?
It may not be rechecking, can you reboot the switch?
I try to reboot the first day, but without success. The switch is using in prod, so we'll reboot it this night.
Similarly, this week-end, another switch 5548p with port control get the same trouble:
DELL PowerConnect 5548p - firmware version 188.8.131.52
Whereas other switches 2048p still work well.
With two switches, configuration is maybe the source of the trouble?
aaa authentication dot1x default radius
radius-server host <IP_Server1> key <key>
radius-server host <IP_Server2> key <key> priority 1
radius-server retransmit 4
radius-server timeout 1
radius-server deadtime 10
And for a port:
interface gigabitethernet 1/0/1
dot1x host-mode multi-sessions
dot1x port-control auto
It looks good or I forgot something ?
You may want to try to increase the timeouts.
I reset the timeout at the default value (3) and reduce the deadtime (5).
During previous nights, I remove all radius configuration on the two switches, reboot them and re enable the security configuration.
Finally, the first switch works well again unlike the second have still the same trouble (and few more reboot, didn't work too).
I don't know what do more T-T
So the first switch is still working after the reset but the second one still isn’t? What are you using for your radius server?
Exactly, the first switch working now after the reboot, but the second not.
My radius server is a VM running Windows Server 2016 Standard with NPS.
Can you check the windows event logs and see if there are any radius errors. https://technet.microsoft.com/en-us/library/cc735406(v=ws.10).aspx