802.1x DHCP Assignment Behaviour

tcp_analysis_flags_eq_1 — Tue, 05 Dec 2023 22:01:22 GMT

Hello, I want to ask if the issue is related to timers and latency between the authenticator and ISE.

I have below setup

Domain Laptop -> Get Internal VLAN

Guest Laptop -> Get Guest VLAN

Below is the interface configuration

interface GigabitEthernet2/0/16
switchport access vlan 80
switchport mode access
switchport voice vlan 50
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security
ip device tracking maximum 65535
no logging event link-status
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication periodic
authentication timer reauthenticate 54000
access-session host-mode multi-host
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
service-policy type control subscriber PORT_DOT1X_POLICY
end

Whats happening is. When a guest laptop(non-domain) plugs into a port with 802.1x configuration it will get an IP from VLAN 80, but will not have any access to the network, after the dot1x auth is state is stop we issue the command release and renew on end machine and it will get the guest VLAN. Is this behaviour normal? Ideally if possible, we would not need to issue the release renew command on end machine.

Re: 802.1x DHCP Assignment Behaviour

MHM Cisco World — Tue, 05 Dec 2023 22:13:56 GMT

Many issue here

access-session host-mode multi-host

Change this to host-mode multi-auth'

Multi-host allow only one host to auth and all.other host after that allow to access without auth

Remove port-secuirty (if you face packet drop)

Also where is config of guest.

MHM

topic 802.1x DHCP Assignment Behaviour in Network Access Control

802.1x DHCP Assignment Behaviour

Re: 802.1x DHCP Assignment Behaviour