某局点5130S下挂PC802.1x反复认证

PC--5130S--RADIUS

现场做的有线1x认证，现在出现终端反复重认证的故障，认证通过交换机ping终端正常，终端出现重认证时ping不通，再次认证成功后又可以ping通，重认证过程反复

收集了debug信息，可以看到每隔30s设备就收到客户端的EAP-START报文触发了重认证

*Jan 13 21:10:05:375 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/PACKET:  

Received a packet on interface GigabitEthernet1/0/4. 

Destination Mac Address=0180-c200-0003 

Source Mac Address=000e-c6b9-a801 

Mac Frame Type=888e 

Protocol Version ID=1 

Packet Type=1 

Packet Length=0. 

*Jan 13 21:10:05:375 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Restart state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:05:376 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Connecting state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:05:377 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Authenticating state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:05:377 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: BE is in Request state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:05:377 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: Sending EAP packet: Identifier=248, type=1. 

*Jan 13 21:10:35:374 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/PACKET:  

Received a packet on interface GigabitEthernet1/0/4. 

Destination Mac Address=0180-c200-0003 

Source Mac Address=000e-c6b9-a801 

Mac Frame Type=888e 

Protocol Version ID=1 

Packet Type=1 

Packet Length=0. 

*Jan 13 21:10:35:374 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Restart state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:35:375 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Connecting state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:35:375 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: PAE is in Authenticating state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:35:375 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: BE is in Request state: UserMAC=000e-c6b9-a801, VLANID=1, Interface=GigabitEthernet1/0/4. 

*Jan 13 21:10:35:376 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/EVENT: Sending EAP packet: Identifier=255, type=1. 

*Jan 13 21:10:35:377 2013 BJWS-N-JR-4FA02-S5130-8 DOT1X/7/PACKET: Transmitted a packet on interface GigabitEthernet1/0/4. Destination Mac Address=000e-c6b9-a801 Source Mac Address=3080-9b25-ce19 VLAN ID=1005

进一步检查配置：

interface GigabitEthernet1/0/4

stp edged-port

arp rate-limit 10

ip verify source ip-address mac-address

dot1x

undo dot1x handshake

dot1x unicast-trigger

dhcp snooping binding record

dhcp snooping check request-message

dhcp snooping check mac-address

现场使用windows自带的客户端，接口下需要关闭组播触发，关闭在线握手，开启单播触发。 

如下命令

undo dot1x handshake

undo dot1x multicast-trigger

dot1x unicast-trigger

接口下关闭组播触发，关闭在线握手，开启单播触发。 

如下命令

undo dot1x handshake

undo dot1x multicast-trigger

dot1x unicast-trigger