GS2220 - Mac Authentication sending request to Radius every second since upgrad to V5.00(ABRQ.0)
Hi,
since we upgraded our GS2220 to newest version, Radius requests for Mac Authentications increased on all updated switches from 0-3 per hour to 3000-30000 per hour.
We're using 2 Radius in our local network, timeout 5 sec.
Only thing which stops the requests is switch back to old firmware or switch completly off Mac Authentication.
Anyone similar problems?
Accepted Solution
-
Hi @cbo,
After checking, we found that this is related to a firmware enhancement: "Improve 802.1x and MAC authentication support to identify the Termination-action and port number attribute" in V5.00, which means we support the radius reauth time option.
However, when your Radius server does not reply with the reauth time option, our switch uses the mac-authentication timeout value as the reauth time.
As suggested, please add the reauth time option on your Radius server to resolve this issue. We will also include a default reauth time in the next firmware release.
Zyxel Melen0
All Replies
-
Update:
After switching back to older firmware we have not again about 3 per hour.
BUT with switching back the old config from this time was applied so we lost some configurations done after the firmware update.0 -
Hi @cbo,
To ensure I reproduce this issue correctly, could you share your configuration with me? I will send you a request via private message.
Zyxel Melen0 -
Hi @cbo,
Thanks for the configuration. I have reproduced this issue in my lab, and we are investigating it. I will keep you posted once I have more information.
Zyxel Melen0 -
Hi,
for your information:
the issue is also confirmed in support ticket 4891100 -
Hi @cbo,
After checking, we found that this is related to a firmware enhancement: "Improve 802.1x and MAC authentication support to identify the Termination-action and port number attribute" in V5.00, which means we support the radius reauth time option.
However, when your Radius server does not reply with the reauth time option, our switch uses the mac-authentication timeout value as the reauth time.
As suggested, please add the reauth time option on your Radius server to resolve this issue. We will also include a default reauth time in the next firmware release.
Zyxel Melen0 -
Thank you very much, setting "Session Timeout" in Constraints of Network Policy in our Radius seems to fix the problem.
1 -
Problem seems to be ok with our windows domain clients, but other devices (printers, accesspoints,…) reauthenticate are reauthenticating every 2-20min (seems not to be coherent with any defined timeout).
radius round robin timeout: 5sec
Mac-Auth-timeout : 300sec
Mac aging time: 300 sec0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 157 Nebula Ideas
- 106 Nebula Status and Incidents
- 5.9K Security
- 325 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 257 Service & License
- 399 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight