https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469462#M428523 <HTML><HEAD></HEAD><BODY><P>What version of ACS are you using? What Catalyst operating system and Supervisor are you using? What version of Catalyst OS are you using? Which Microsoft operating system(s) are you using and approximately what service pack are you running?</P><P></P><P>What are you configured to do after you authenticate a device? Are you changing VLANs?</P></BODY></HTML> Tue, 25 Oct 2005 18:42:51 GMT brford 2005-10-25T18:42:51Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469457#M428510 <P>I have 802.1x configured with PEAP and vlan assignment using the MS supplicant. I have hardcoded Machine Auth because Remote Desktop does not work with User Auth. (see my other posts) I have figured out how to change the Microsoft supplicant to PEAP with a vb script. I have a catalyst 6509 enabled with 802.1x enabled on module 8 and 9 with about 60 actual PCs authenticated between to 2 modules. At this point I am testing ACS redundancy (2 ACS SE) and any potential ACS load issues before campus deployment.</P><P></P><P>My problem:</P><P></P><P>1. If I reset module 8 or 9 the switch reloads. I guess it is overwhelmed by all the 802.1x requests. I am not too concerned about this right now because this type of product quality is very common in this new era. I have not reset another module in this switch that does not have 802.1x enabled. Though, I have reset modules in the past.</P><P></P><P>2. My main concern is the amount of time it takes for all the ports on a given module to finally 802.1x authenticate. To avoid problem (1.), I disabled/enabled all ports on module 8. It takes about 8-12 minutes before all 30+ ports are authenticated. This behavior is the same after the reload.</P><P></P><P>It takes about 10 seconds for one supplicant to authenticate. It appears the switch is serializing the logins in a loop until all are authenticated. I calculate 384 ports * 10 seconds = 1.06 hour to authenticate after reload (best case).</P><P></P><P>Please share your experiences or ideas.</P><P></P> Sun, 10 Mar 2019 21:18:12 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469457#M428510 jimmie25h69 2019-03-10T21:18:12Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469458#M428515 <HTML><HEAD></HEAD><BODY><P>The time delay that you are seeing is just the way the 802.1x authentication works and there is nothing we can do about it</P></BODY></HTML> Tue, 13 Sep 2005 13:20:36 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469458#M428515 s-doyle 2005-09-13T13:20:36Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469459#M428517 <HTML><HEAD></HEAD><BODY><P>We have dot1x enabled in production. Over thousand of supplicants. Terrible!! I found last week that while we reset one of the modules; the switch crashed. Because we have 2 Sup in one box, the switch did not reload but failed over to the standby SUP.</P><P>We have CatOS 8.4.1 and 8.4.5 in our environment; 2 ACSes for redundant purpose.</P><P></P><P>I did not perceive the dealy you mention.We found that a lot of supplicants could not be authenticated. </P><P></P><P>Below is the trace that I found when switches crashed. Do you see the same output?</P><P></P><P>pantree port fast start set to default for ports 6/29,6/34.</P><P>QRDCN05ACC01&gt; (enable) set vlan 461 System reset on software watchdog is disabled</P><P></P><P>TLB Exception (load/instruction fetch) occurred on Sep 26 2005 16:15:00</P><P>Software version = 8.4(1)</P><P>Process ID #4c, Name = Backend_SM</P><P>process stack top = 3ff1b170, stack pointer = 3ff1b0e8</P><P>cause = 00000008</P><P>TLB Exception (load/instruction fetch) exception happened</P><P> EPC: 210274A0</P><P> Traceback: </P><P> 210274A0</P><P> 210274A0</P><P> Stack content:</P><P> sp+00: 00000006 00000006 21026C38 202ECAB0</P><P> sp+10: 267AD970 22F9B290 22FA0000 00000006</P><P> sp+20: 0000001D 00000030 00000005 21027230</P><P> sp+30: 0000012C 00000000 20B47BDC 20B47BDC</P><P> sp+40: 00000000 00000000 00000000 00000000</P><P> sp+50: 00000000 00000000 00000000 00000000</P><P> sp+60: 3FF1B150 20B4A2A0 20B47BDC 20B47BDC</P><P> sp+70: 20B47BDC 20B47BDC 00000007 20B47BDC</P><P> sp+80: 00000000 20B4A250 20B47BDC 20B47BDC</P><P> sp+90: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+A0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+B0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+C0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+D0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+E0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> sp+F0: 20B47BDC 20B47BDC 20B47BDC 20B47BDC</P><P> Register content:</P><P> Status: 3400FC23 Cause: 00800008</P><P>AT: 22830000</P><P> V0: 00000001 V1: 267AD970</P><P> A0: 00000006 A1: 0000001D</P><P> A2: 0000001C A3: 22FA0000</P><P> T0: 23C00BC0 T1: 3FFFF070</P><P> T2: 00000001 T3: 00000007</P><P> T4: 00007080 T5: 00000000</P><P> T6: 00800000 T7: F03FFFFF</P><P> S0: 22F9B290 S1: 00000000</P><P> S2: 00000006 S3: 0000001D</P><P> S4: 00000005 S5: 0000001C</P><P> S6: 22FA0000 S7: 0000000D</P><P> T8: FFFFFFFF T9: 4B34A6A4</P><P> K0: 30409001 K1: 215016E8</P><P> GP: 2283AC70 SP: 3FF1B0E8</P><P> S8: 00000007 RA: 2102742C</P><P> HIGH: 0000001A LOW: 0355485E</P><P> BADVADDR: 00000002 ERR EPC: A3A3A3A3</P><P>Total download memory used = 3989996</P><P>crash info filename is bootflash:crashinfo_050926-161503</P><P>Opening crash info file bootflash:crashinfo_050926-161503</P><P>Time took to write crashinfo = 00:05.09</P><P>crashinfo finished</P><P></P></BODY></HTML> Tue, 11 Oct 2005 16:16:42 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469459#M428517 chilinh 2005-10-11T16:16:42Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469460#M428519 <HTML><HEAD></HEAD><BODY><P>It sounds like we have a similar configuration and similar problem. I also found that "a lot of supplicants could not be authenticated". I think it is because of a timeout that appears to be within the 6509 chassis. This is what I did to expose the timeout.</P><P></P><P>I enabled security logging debug. I disabled/enabled (1) port to see the normal output. I incremented by (1) port until I reached (4) ports. At (4) ports there is a TIMEOUT entry. 802.1x retries and the port eventually authenticates. BUT when I authenticate up to 48 ports most ports do not authenticate. I believe the MS supplicant quits trying at some point. Give it a try and let me know if you get the timeouts. What hardware do you have 6000 or 4000 series? I have a case open.</P><P></P><P>set logging level security 7</P><P>2005 Sep 24 09:36:49 CDT -05:00 %SECURITY-7-DOT1X_BACKEND_STATE:DOT1X: backend state for port 8/41 is TIMEOUT</P><P></P></BODY></HTML> Tue, 11 Oct 2005 22:23:37 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469460#M428519 jimmie25h69 2005-10-11T22:23:37Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469461#M428521 <HTML><HEAD></HEAD><BODY><P>8.4(5) fixed both.</P><P></P><P>bug ID CSCeh95025 - 802.1x simultaneous authentications fail</P><P></P></BODY></HTML> Mon, 24 Oct 2005 21:30:52 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469461#M428521 jimmie25h69 2005-10-24T21:30:52Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469462#M428523 <HTML><HEAD></HEAD><BODY><P>What version of ACS are you using? What Catalyst operating system and Supervisor are you using? What version of Catalyst OS are you using? Which Microsoft operating system(s) are you using and approximately what service pack are you running?</P><P></P><P>What are you configured to do after you authenticate a device? Are you changing VLANs?</P></BODY></HTML> Tue, 25 Oct 2005 18:42:51 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469462#M428523 brford 2005-10-25T18:42:51Z https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469463#M428525 <HTML><HEAD></HEAD><BODY><P>What version of ACS are you using?</P><P></P><P>ACS SE 1112</P><P>Cisco Secure ACS 3.3.2.2 </P><P>Appliance Management Software 3.3.2.1 </P><P>Appliance Base Image 3.3.1.6 </P><P>CSA build 4.0.1.543.2 (Patch: 4_0_1_543)</P><P></P><P>And</P><P></P><P>ACS SE 1111</P><P>Cisco Secure ACS 3.3.2.2 </P><P>Appliance Management Software 3.3.2.1 </P><P>Appliance Base Image 3.3.1.1-HP </P><P>CSA build 4.0.1.543.2 (Patch: 4_0_1_543)</P><P></P><P></P><P>What Catalyst operating system and Supervisor are you using?</P><P>8.4(5), SUP2/PFC2</P><P>Crashed once when 802.1x was disabled on a port after upgrading to 8.4(5)</P><P>"set port dot1x 7/26 port-control force-authorized"</P><P>Possibly related to bugs CSCei80863 and CSCsc02053</P><P></P><P>What version of Catalyst OS are you using?</P><P>WS-C6509 Software, Version NmpSW: 8.4(5)</P><P>Copyright (c) 1995-2005 by Cisco Systems</P><P>NMP S/W compiled on Aug 3 2005, 12:01:19</P><P></P><P></P><P>Which Microsoft operating system(s) are you using and approximately what service pack are you running? </P><P></P><P>All are XP SP2. updates are current within 30-45 days. The PCs are PEAP with registry keys AuthMode=2, SupplicantMode=3</P><P></P><P>What are you configured to do after you authenticate a device?</P><P>Authenticating a PC only once unless port state changes.</P><P>Dynamic vlan assignment</P><P></P><P>Are you changing VLANs?</P><P>yes</P><P></P></BODY></HTML> Tue, 25 Oct 2005 21:52:05 GMT https://community.cisco.com/t5/network-access-control/is-there-anyone-using-wired-802-1x-in-production/m-p/469463#M428525 jimmie25h69 2005-10-25T21:52:05Z