GS2220 - Mac Authentication sending request to Radius every second since upgrad to V5.00(ABRQ.0)

cbo
cbo Posts: 6  Freshman Member
Network Detective-New Adventure Badge First Comment

Hi,

since we upgraded our GS2220 to newest version, Radius requests for Mac Authentications increased on all updated switches from 0-3 per hour to 3000-30000 per hour.
We're using 2 Radius in our local network, timeout 5 sec.

Only thing which stops the requests is switch back to old firmware or switch completly off Mac Authentication.


Anyone similar problems?

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,031  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @cbo,

    After checking, we found that this is related to a firmware enhancement: "Improve 802.1x and MAC authentication support to identify the Termination-action and port number attribute" in V5.00, which means we support the radius reauth time option.

    However, when your Radius server does not reply with the reauth time option, our switch uses the mac-authentication timeout value as the reauth time. 

    As suggested, please add the reauth time option on your Radius server to resolve this issue. We will also include a default reauth time in the next firmware release.

    Zyxel Melen


All Replies

  • cbo
    cbo Posts: 6  Freshman Member
    Network Detective-New Adventure Badge First Comment
    edited February 14

    Update:
    After switching back to older firmware we have not again about 3 per hour.
    BUT with switching back the old config from this time was applied so we lost some configurations done after the firmware update.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,031  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @cbo,

    To ensure I reproduce this issue correctly, could you share your configuration with me? I will send you a request via private message.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 3,031  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @cbo,

    Thanks for the configuration. I have reproduced this issue in my lab, and we are investigating it. I will keep you posted once I have more information.

    Zyxel Melen


  • cbo
    cbo Posts: 6  Freshman Member
    Network Detective-New Adventure Badge First Comment

    Hi,
    for your information:
    the issue is also confirmed in support ticket 489110

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,031  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @cbo,

    After checking, we found that this is related to a firmware enhancement: "Improve 802.1x and MAC authentication support to identify the Termination-action and port number attribute" in V5.00, which means we support the radius reauth time option.

    However, when your Radius server does not reply with the reauth time option, our switch uses the mac-authentication timeout value as the reauth time. 

    As suggested, please add the reauth time option on your Radius server to resolve this issue. We will also include a default reauth time in the next firmware release.

    Zyxel Melen


  • cbo
    cbo Posts: 6  Freshman Member
    Network Detective-New Adventure Badge First Comment

    Thank you very much, setting "Session Timeout" in Constraints of Network Policy in our Radius seems to fix the problem.

  • cbo
    cbo Posts: 6  Freshman Member
    Network Detective-New Adventure Badge First Comment

    Problem seems to be ok with our windows domain clients, but other devices (printers, accesspoints,…) reauthenticate are reauthenticating every 2-20min (seems not to be coherent with any defined timeout).
    radius round robin timeout: 5sec
    Mac-Auth-timeout : 300sec
    Mac aging time: 300 sec