A critical VLAN is configured on GE1/0/5 of an S5700. A test is performed by interrupting communication between the switch and RADIUS server. During the test, a PC in the critical VLAN cannot obtain the DHCP server address.
The configuration of GigabitEthernet1/0/5 is as follows:
port link-type hybrid
port hybrid pvid vlan 6
port hybrid untagged vlan 6
authentication critical-vlan 6
The configuration of the RADIUS server template is as follows:
radius-server template default
radius-server shared-key cipher *****
radius-server authentication 192.168.1.1 1812 weight 80
radius-server authentication 192.168.1.2 1812 weight 40
radius-server accounting 192.168.1.1 1813 weight 80
radius-server accounting 192.168.1.2 1813 weight 40
Check the 802.1X configuration. No exception is found.
According to the information collected using the tracert command, when the switch is waiting for a response packet from the RADIUS server, the terminal initiates 802.1X authentication again since it receives no EAP packet from the switch. As a result, the terminal cannot join the critical VLAN.
Note: The information collected using the tracert command contains customer information and therefore is not provided here.
After a terminal initiates 802.1X authentication by an 802.1X client, the terminal waits for an EAP response packet from the switch within a certain period.
If the RADIUS server is Down, the switch cannot receive response packets from the server. By default, the switch retransmits an authentication request to the server for a maximum of three times at an interval of 5 seconds. On the live network, the default settings are used and active and standby servers are deployed. Therefore, the entire period for the switch to wait for a response packet from the server is 30 seconds (3 x 5 x 2).
Change the retransmission count and timeout period in the RADIUS server template.
radius-server retransmit timeout