We're trying our first deployment and getting entirely unpredictable results. In one test setup, we have reject vlan and server-fail vlans configured, yet the port still goes into un-authorized state with no vlans.
Seems to be entirely random whether the switch actually checks in with the radius server.
Yes, I know in the log below the radius request timed out, but it doesn't matter. The port should have been authorized into the server-fail vlan. the enables/disables are me trying to get it to re-auth again. it's not even trying to talk to radius. Have tried v7.2 through v7.6.
Code: Select all
00:22:02 radius,debug,packet NAS-Port-Id = "ether22"
00:22:02 radius,debug,packet Unknown-Attribute(type=102) = 0x00
00:22:02 radius,debug,packet NAS-Identifier = "lab"
00:22:02 radius,debug,packet NAS-IP-Address = 10.5.93.133
00:22:02 radius,debug resending 82:04
00:22:02 radius,debug,packet sending Access-Request with id 5 to 10.1.3.14:1812
00:22:02 radius,debug,packet Signature = 0x0xxxx
00:22:02 radius,debug,packet Framed-MTU = 1400
00:22:02 radius,debug,packet NAS-Port-Type = 15
00:22:02 radius,debug,packet Called-Station-Id = "48-8F-5A-93-D0-64"
00:22:02 radius,debug,packet Calling-Station-Id = "00-0A-19-09-AE-6E"
00:22:02 radius,debug,packet Service-Type = 2
00:22:02 radius,debug,packet User-Password = 0xxxxx
00:22:02 radius,debug,packet 45
00:22:02 radius,debug,packet User-Name = "00:0A:19:09:AE:6E"
00:22:02 radius,debug,packet Acct-Session-Id = "00007086"
00:22:02 radius,debug,packet NAS-Port-Id = "ether22"
00:22:02 radius,debug,packet Unknown-Attribute(type=102) = 0x00
00:22:02 radius,debug,packet NAS-Identifier = "lab"
00:22:02 radius,debug,packet NAS-IP-Address = 10.5.93.133
00:22:03 radius,debug timeout for 82:04
00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" radius req timeout, apply server fail vlan:2400
00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" add to vlan 2400
00:22:03 dot1x,debug s ether22 "00:0A:19:09:AE:6E" authorized, start reauth timer seconds:10
00:22:03 dot1x,debug s ether22 UNBLOCK
00:22:13 dot1x,debug s ether22 "00:0A:19:09:AE:6E" starting reauth mac-auth
00:22:13 dot1x,debug s ether22 BLOCK
00:22:40 interface,info ether22 link down
00:22:40 system,info device changed by admin
00:22:40 system,info device changed by admin
00:22:40 dot1x,debug s ether22 BLOCK
00:22:41 system,info device changed by admin
00:22:41 system,info device changed by admin
00:22:41 system,info device changed by admin
00:22:41 dot1x,debug s ether22 BLOCK
00:22:41 system,info device changed by admin
00:22:41 system,info device changed by admin
00:22:41 dot1x,debug s ether22 BLOCK
00:22:41 system,info device changed by admin
00:22:42 system,info device changed by admin
00:22:42 dot1x,debug s ether22 BLOCK
00:22:42 system,info device changed by admin
00:22:42 system,info device changed by admin
00:22:42 dot1x,debug s ether22 BLOCK
00:22:42 system,info device changed by admin
00:22:42 system,info device changed by admin
00:22:42 dot1x,debug s ether22 BLOCK
00:22:42 system,info device changed by admin
00:22:43 system,info device changed by admin
00:22:43 dot1x,debug s ether22 BLOCK
00:22:43 system,info device changed by admin
00:22:44 system,info device changed by admin
00:22:44 dot1x,debug s ether22 BLOCK
00:22:46 interface,info ether22 link up (speed 100M, full duplex)
00:22:54 system,info dot1x server port removed by admin
00:23:09 system,info dot1x server port added by admin
00:23:09 dot1x,debug s ether22 BLOCK
00:23:09 system,info dot1x server port changed by admin
00:27:07 system,info,account user admin logged in from 10.1.3.3 via ssh
[admin@lab] > /interface/bridge/vlan/print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 200 bonding1
1 bridge 100 bridge
bonding1
2 D bridge 1 bridge
bonding1
[admin@lab] >
[admin@lab] > /interface/dot1x/export
# nov/26/2022 00:27:53 by RouterOS 7.2.3
# software id = xxxx
#
# model = CRS326-24G-2S+
# serial number = xxxx
/interface dot1x server
add accounting=no auth-types=mac-auth interface=ether22 mac-auth-mode=mac-as-username-and-password reject-vlan-id=2100 server-fail-vlan-id=2200
[admin@lab] > /radius/export
# nov/26/2022 00:28:05 by RouterOS 7.2.3
# software id = xxxx
#
# model = CRS326-24G-2S+
# serial number = xxxx
/radius
add address=10.1.3.14 service=dot1x