Problem with 802.1X. Sometimes not working correctly and reboot needed

Millbull

Hi everybody,

I'm having troubles with a GS1920-48HP V2 (firmware: V4.80(abmk.1).

Sometimes 802.1X service doesn't work properly. The radius server tells the switch to put a port on a vlan but the switch doesn't obey. I tried to desactivate then reactivate the 802.1X but it didn't solve the problem. After a reboot all is working fine again. It's the second time I'am having that problem and I don't know where to investigate. I've found nothing in the switch logs and it's the latest firmware.

Is there a way to watch the 802.1X service status and to restart it in command line ?

Any ideas ?

Regards

Millbull

Anybody experienced this problem ?

Zyxel_Melen

Hi @Millbull,

Could you share your Radius attribute so I can reproduce this issue and check it? In my record, we didn't receive a similar issue.

Zyxel_Melen

Hi @Millbull,

Could you help to check if the related VLAN ID was enabled when this issue happened?

I did a local lab but didn't encounter this issue unless I disabled the related VLAN ID.

Millbull

Hello, I've also open a case: https://support.zyxel.eu/hc/fr/requests/492940

What do you mean by "related Vlan ID" ?

In fact all is working perfectly but by two times the switch didn't change the ports vlan although all the negociations between the switch and the radius server worked perfectly. I've controlled this with Wireshark. Instead of changing the ports to the vlan specified by the radius server, the ports was left in the guest vlan. Desactivate and reactivate the 801.X globally did'nt change anything.

After a switch reboot all is working fine again. I've experienced this problem two times.

Millbull

And nothing appeared in the switch logs. Is there any way to have a higher level of logs ?

And is there a way to reboot the 802.1x service only instead of having to reboot the switch entirely ?

Zyxel_Melen

Hi @Millbull

And nothing appeared in the switch logs. Is there any way to have a higher level of logs ?

After checking with our team, we don't have switch logs for authentication.

And is there a way to reboot the 802.1x service only instead of having to reboot the switch entirely ?

Please try to disable these two functions first and then enable:

1. SECURITY > AAA > AAA Setup > Authorization > Dot1x.
   
2. SECURITY > Port Authentication > 802.1x > Active button.
   

In addition:

1. GS1920 is a web smart switch which doesn't support CLI configuration command.
2. Please help to collect the Radius packets before you take action. If the issue remains, please also collect the tech support so we can investigate this issue. You may share the Radius packet and tech support file with me via private message.

https://community.zyxel.com/en/discussion/21237/switch-how-to-collect-the-tech-support-info-on-v4-80-firmware-version-and-newer

What do you mean by "related Vlan ID" ?

For example, my Radius server tell the switch "Please assign VLAN 10 for this user." But VLAN 10 is disabled at this time. Once the VLAN 10 is disabled, the switch will assign Guest VLAN ID for this client.

Millbull

Hello,

Thanks for these informations.

All the Vlan ID are opened for the ports authenticated via 802.1x and most of the time all is working well.

When I had the problem I tried to disable then enable 802.1x in this section: SECURITY > Port Authentication > 802.1x > Active button but I didn't on the dot1x authorisation section.

I'll check it if the problem appears again and I provide you a packet capture and the tech-support.

Regards

Freddy