There can be several reasons for not receiving a response to an authentication request. Do the following:
• Use ping to ensure that the switch has access to the configured RADIUS servers.
• Verify that the switch is using the correct encryption key (RADIUS secret key) for each server.
• Verify that the switch has the correct IP address for each RADIUS server.
• Ensure that the radius-server timeout period is long enough for network conditions.
The switch does not authenticate a client even though the RADIUS server is properly
configured and providing a response to the authentication request
If the RADIUS server configuration for authenticating the client includes a VLAN assignment, ensure that the
VLAN exists as a static VLAN on the switch. See "How 802.1X Authentication Affects VLAN Operation" in the
access security guide for your switch.
During RADIUS-authenticated client sessions, access to a VLAN on the port used for
the client sessions is lost
If the affected VLAN is configured as untagged on the port, it may be temporarily blocked on that port during an
802.1X session. This is because the switch has temporarily assigned another VLAN as untagged on the port to
support the client access, as specified in the response from the RADIUS server. See "How 802.1X Authentication
Affects VLAN Operation" in the access security guide for your switch.
The switch appears to be properly configured as a supplicant, but cannot gain access
to the intended authenticator port on the switch to which it is connected
If aaa authentication port-access is configured for Local, ensure that you have entered the local login
(operator-level) username and password of the authenticator switch into the identity and secret parameters
of the supplicant configuration. If instead, you enter the enable (manager-level) username and password, access
will be denied.
The supplicant statistics listing shows multiple ports with the same authenticator MAC
address
The link to the authenticator may have been moved from one port to another without the supplicant statistics
having been cleared from the first port. See "Note on Supplicant Statistics" in the chapter on Port-Based and
User-Based Access Control in the access security guide for your switch.
The show port-access authenticator <port-list> command shows one or
more ports remain open after they have been configured with control unauthorized
802.1X is not active on the switch. After you execute aaa port-access authenticator active, all ports
configured with control unauthorized should be listed as Closed.
Authenticator ports remain "open" until activated
switch(config)# show port-access authenticator e 9
Port Access Authenticator Status
Port-access authenticator activated [No] : No
Access Authenticator Authenticator
Port Status Control State Backend State
---- ------ -------- -------------- --------------
9 Open
1
FU Force Auth Idle
Switch(config)# show port-access authenticator active
314 Aruba 2530 Management and Configuration Guide for
ArubaOS-Switch 16.05
To Next Page
Loading...
