cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

471
Views
0
Helpful
3
Replies
Highlighted
Beginner

3750 replies to EAPoL on one port but not another

Seeing a weird thing, wondering if someone else has seen it before I run to TAC.

There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.

The ports are configured for 802.1x, auth order of  MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).

When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated.

When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.

If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.

What am I missing?

Thanks.

3 REPLIES 3
Highlighted
Cisco Employee

Could you please paste the config of both the ports/interface along with the below listed debugs:

debug radius

debug dot1x all

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin
Highlighted

port config is below. Debug for the not-working machine is attached. Working on the working machine.

switchport access vlan 11

switchport mode access

switchport block unicast

switchport voice vlan 12

ip access-group DEFAULT_PORT_PERMS in

authentication event fail action next-method

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 5

dot1x max-req 3

dot1x max-reauth-req 3

dot1x timeout start-period 10

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 1024

Highlighted
Beginner

Called to TAC. IOS upgrade fixed it.

Content for Community-Ad