I am using 802.1x just for authenticating domain computers, simple like that. Below is the configuration for the switch;

!

!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
!
!

dot1x system-auth-control
!
interface GigabitEthernet0/7
description 6th Floor-Client
switchport access vlan 1610
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

radius-server host 10.1.200.59 auth-port 1812 acct-port 1813 key 7 1122175503160A3C24393833782131

My Cisco 2960 has the same configuration and 802.1x is working fine in it.

Thank you.

Hmmmm, the config appears to be correct.

As a sanity test have you tested the radius connection with the test command:

test aaa group radius server 10.1.200.59 <user> <password> legacy

With a device connected to a dot1x switchport what is the output of:
sh authentication interface <int_id>
sh dot1x interface <int_id>

Also, what IOS version are you running?

cheers,
Seb.

I have captured the radius traffic from the 2960 series and 3560 series as well. While testing with 2960 switch, i see the radius traffic coming in from the switch and go for the challenge and finally accepted.

However, when I test it in 3560 switch, the radius traffic keeps repeating for challenge traffic and does not go further. I have tested the same laptop for the ports on those two switches.

My concern is I am using the same laptop to test between those two switches. I believe I can conclude that there is no problem with the configuration in my laptop. Also, the network (firewall) is not blocking any radius traffic from different VLANs in those two switches as I checked the firewall and I can see the radius traffic as well in my radius server.

Secondly, the radius server is the same for both the switches. So, the only thing I believe has a problem is the switch, But here also, all the configuration are the same on those two switches.

I tested 3560 switch with c3560-ipservicesk9-mz.122-55.SE12.bin ,  c3560-ipservicesk9-mz.122-55.SE.bin and also with c3560-ipbasek9-mz.150-2.SE4.bin.

I am out of options now.

The Access-challenge from the server should initiate an EAP-Request from the the switch to the supplicant, so your suspicions about the switch are correct.

Have you tried the debug radius command to see what it happening?

Have you tried running a packet capture from the laptop/PC to see what, if any, EAPoL frames are being sent/ received?

cheers,

Seb.

I ran the Wireshark to capture the packets from a single laptop to two of those switches. I have hereby attached both the captures.

I don't see the "server hello" message from the switch to my laptop which I can see in the successful capture.

Thanks for the captures. Looking at the failed one, the flow looks promising; the client sends a hello, but clearly the server never responds (does it ever receive it?)...or maybe the switch is just dropping the message.

Then the later the switch tries to identify the client (waiting the 120 seconds) and the laptop just ignores the request!

I've had a look for applicable bugs:

site:https://quickview.cloudapps.cisco.com bug 3560 802.1x

...but not turned up anything. Plus you've tried a good spread of software versions to reduce your exposure to any one particular bug.

I'm stumped as to what the problem could be. Sorry.

Thank you very much, Seb for your support.

Yeah, I see the radius traffic from the switch to the radius server but it keeps on looping around the challenge traffic. I can't really think of what the issue is because all other circumstances are identical except the switch and even the configs are the same in those two switches.

Hopefully, I will be able to troubleshoot it someday.

Thank You once again

Hey Seb,

I ran eap debug in both the switches and have saved the result. I have attached the result herewith.

Could you help me with it?

Thank You