Re: Cisco phone flood 802.1x authentication issue

JlassiAhmed0345 · ‎03-11-2021

I have configured, dot1x authentication for the corporate users, and for the phones we have chosen just an open authentification of the voice VLAN (switch port voice 100). unfortunately, now we have experienced an outage service in the Access switch. during the investigation, we found that the cisco phones each time they attempt to authenticate the network using dot1x authentication and flood a lot of 802.1x authentication packets, and thus increase the process CPU of the access switch.

Note that we have not configured authentication for the voice VLAN as is mentioned below in the configuration under the physical interface:

switchport mode access
switchport voice vlan 100
authentication host-mode multi-domain
authentication open
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast edge
end

Below you find the log found it in the access switch

Adam Pawlowski · ‎03-11-2021

is dot1x configure off for the device ? You can tell it to not so it doesn’t try device authentication.

JlassiAhmed0345 · ‎03-13-2021

The 802.1x authentication is disabled in the phones. but we still receive a dot1x packet from phones.

is there any idea what is the root cause of this issue?

Adam Pawlowski · ‎03-14-2021

I have a large deployment with dot1x on the network, and disabled for the phones without this issue. They do forward for whatever's behind them if the device on the far side is trying to do auth.