We recently upgraded our OS6860E-48 AOS from 8.4.1.141.R03 GA to 8.5.164.R01 GA
After we upgraded the AOS, we are experiencing the RADIUS Authentication Time-Out issue on our CPPM for computers which are connected to the OS6860E-48 Switch via a fiber media converter.
We’ve verified our physical links and media converters are working fine because there were no issues prior to the upgrade. There were no configuration changes to the switch and CPPM before and after the upgrade.
Our Environment is using Aruba CPPM Version 6.6.9 as Network Access Control.
Hope some experts can bring light to our issue!
Radius authentication timed out for the clients connected to OS6860 with media converters
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
Maybe there where some changes in default setting of access guardian (because of new introduced options). Mostly you find new functions/parameters in the RN for the new GA release. If you can't find anything you have to open a ticket.
regards
Silvi
regards
Silvi
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
It has been almost 3 months since we opened a ticket with them. Until now they had been asking for irrelevant logs and have not provide any solution to our problem :/
Anyway, thanks for your response.
Anyway, thanks for your response.
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
oh....
If you downgrade the switches back to 8.4.1.R03 all is working fine?
If you connect the same clients via patch cable direct to the switch with 8.5.1. than all is okay?
only via media converters to 8.5.1 the issue is seen?
Is this correct?
Silvio
If you downgrade the switches back to 8.4.1.R03 all is working fine?
If you connect the same clients via patch cable direct to the switch with 8.5.1. than all is okay?
only via media converters to 8.5.1 the issue is seen?
Is this correct?
Silvio
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
Hi Silvio
Yes, on 8.4.1.R03 all is working fine. The setup did not change at all. Unfortunately, our customer wants to stay on the most updated version and wait for alcatel's response.
Yes, most of the clients are connected directly to the switch which are fine while only those that connect via a media converter has issues.
Attached a sample config with relevant commands in our setup. See if it helps.
We have tried adjusting most of the values that we can but it doesn't help also.
JY
Yes, on 8.4.1.R03 all is working fine. The setup did not change at all. Unfortunately, our customer wants to stay on the most updated version and wait for alcatel's response.
Yes, most of the clients are connected directly to the switch which are fine while only those that connect via a media converter has issues.
Attached a sample config with relevant commands in our setup. See if it helps.
We have tried adjusting most of the values that we can but it doesn't help also.
JY
You do not have the required permissions to view the files attached to this post.
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
ok. But not realy the answers for my questions 
. Can you connect one of the "normal" via copper connected client via media converter and vice versa? And if you downgrade back to 8.4.1 .... is there an vcboot.error-file?
How long is the time, after the issue is seeing? have you find timers with this time within the switches and in CPPM?
regards
Silvio
. Can you connect one of the "normal" via copper connected client via media converter and vice versa? And if you downgrade back to 8.4.1 .... is there an vcboot.error-file?How long is the time, after the issue is seeing? have you find timers with this time within the switches and in CPPM?
regards
Silvio
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
oh, we did not downgrade to try because customer wants us to stay on the updated version.
I suppose can assume it would be fine because the only change that happened was the firmware.
Yes, I did use my own computer to connect via the media converter and it does not work as well. Connecting directly to the switch is fine.
Not quite understand your question for the time and timers?
After upgrading to 8.5.1, the next few days we started receiving cases from users unable to connect to network. Then, we realise these users connect via media converter.
For now, our solution is disable 802.1x for these users and they are able to connect to the network via media converter.
oh, and one more thing. Printers go thru MAC authentication also works via media converter.
JY
I suppose can assume it would be fine because the only change that happened was the firmware.
Yes, I did use my own computer to connect via the media converter and it does not work as well. Connecting directly to the switch is fine.
Not quite understand your question for the time and timers?
After upgrading to 8.5.1, the next few days we started receiving cases from users unable to connect to network. Then, we realise these users connect via media converter.
For now, our solution is disable 802.1x for these users and they are able to connect to the network via media converter.
oh, and one more thing. Printers go thru MAC authentication also works via media converter.
JY
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
Hi,
i mean how long took it from successful authentication up to the issue? Always the same time (f.e. always 10 minutes after successful login the clients lost the connection)? Or different, or depends from the traffic?
Did the printers via MAC-auth have the same issue?
To find the difference between the connection with and without media converter I would suggest to wireshark both cases (bad and good case).
mirror the switchport with 802.1x enabled to a PC with wireshark. Connect an other PC (also with running wireshark) via media converter. If the issue occures stop both wiresharks. Now you have the bad case within two files. You can compare them. Normaly they should be the same. But maybe the media converters do some changes or drop some packets.
If you can't find the reason you have to create the good case via copper with the same setup. Now you can compare the good with the bad case.
You can forward this files also to alcatel for analysis.
regards
Silvio
i mean how long took it from successful authentication up to the issue? Always the same time (f.e. always 10 minutes after successful login the clients lost the connection)? Or different, or depends from the traffic?
Did the printers via MAC-auth have the same issue?
To find the difference between the connection with and without media converter I would suggest to wireshark both cases (bad and good case).
mirror the switchport with 802.1x enabled to a PC with wireshark. Connect an other PC (also with running wireshark) via media converter. If the issue occures stop both wiresharks. Now you have the bad case within two files. You can compare them. Normaly they should be the same. But maybe the media converters do some changes or drop some packets.
If you can't find the reason you have to create the good case via copper with the same setup. Now you can compare the good with the bad case.
You can forward this files also to alcatel for analysis.
regards
Silvio
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
Yes, it is always the same time. When the client login to windows wait for OnGuard to pop up then the timeout will occur.
Printers via MAC-auth do not have issue even though it is connected via media converter.
We gotten the printer wireshark files too but the amount of transaction for MAC-auth and 802.1x are quite different to make comparison.
Yes, those wireshark logs that you mentioned we had already sent to Alcatel. So to and fro with them almost 3months now.
Printers via MAC-auth do not have issue even though it is connected via media converter.
We gotten the printer wireshark files too but the amount of transaction for MAC-auth and 802.1x are quite different to make comparison.
Yes, those wireshark logs that you mentioned we had already sent to Alcatel. So to and fro with them almost 3months now.
Re: Radius authentication timed out for the clients connected to OS6860 with media converters
than escalate this ticket there - this is a very long time waiting.
regards
Silvio
regards
Silvio
