- Cisco Community
- Technology and Support
- Security
- Network Access Control
- 802.1x Authentication Fails when PC moves to a different switch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x Authentication Fails when PC moves to a different switch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2013 10:33 PM - edited 03-10-2019 08:41 PM
Hello,
I'm hoping someone may be able to assist with a strange issue I am having with 8021x authentication.
Please consider the following scenario:
A. User plugs into switch A and he/she is successfully authenticated on radius
B. User removes laptop from switch A and plugs into Switch B radius does not authenticate
both switches are setup with a trunk and on the same network
Switch A is a C2960S Switch B is a 4510-Chassis
Things I have observed:
If user allows PC plugged in for 20-30 minutes or plugs in next day authentication will begin working again
If I power down switch A then authentication will work instantly
If user logs into Wireless instead authentication will work instantly (I believe this is because it's using a different NIC to connect)
Even if I plug in a HP procurve to the 4510 as an uplink and then move a PC from the procurve switch to a 8021x port on the 4510 I am unable to authenticate until I power off the HP procurve switch.
Radius server is Windows 2008 R2
The switch with the issue is a 4510
Radius Config on 4510 (cat4500e-UNIVERSALK9-M)
System image file is "bootflash:cat4500e-universalk9.SPA.03.03.00.SG.151-1.SG.bin"
**************************************************************
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
interface GigabitEthernet7/1
switchport mode access
switchport voice vlan 21
authentication event fail action authorize vlan 32
authentication event no-response action authorize vlan 32
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
qos trust device cisco-phone
spanning-tree portfast
service-policy input AutoQos-VoIP-Input-Cos-Policy
service-policy output AutoQos-VoIP-Output-Policy
radius-server host ##.##.##.##
radius-server key 7 ############
***************************************************************
Here is the debug for dot1x all
Jul 25 02:22:40.285 UTC: dot1x-ev(Gi7/1): Interface state changed to UP
Jul 25 02:22:40.288 UTC: dot1x_auth Gi7/1: initial state auth_initialize has enter
Jul 25 02:22:40.288 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_initialize_enter called
Jul 25 02:22:40.288 UTC: dot1x_auth Gi7/1: during state auth_initialize, got event 0(cfg_auto)
Jul 25 02:22:40.288 UTC: @@@ dot1x_auth Gi7/1: auth_initialize -> auth_disconnected
Jul 25 02:22:40.288 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_disconnected_enter called
Jul 25 02:22:40.288 UTC: dot1x_auth Gi7/1: idle during state auth_disconnected
Jul 25 02:22:40.288 UTC: @@@ dot1x_auth Gi7/1: auth_disconnected -> auth_restart
Jul 25 02:22:40.288 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_restart_enter called
Jul 25 02:22:40.288 UTC: dot1x-ev(Gi7/1): Sending create new context event to EAP for 0xA5000EEA (0000.0000.0000)
Jul 25 02:22:40.288 UTC: dot1x_auth_bend Gi7/1: initial state auth_bend_initialize has enter
Jul 25 02:22:40.288 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_initialize_enter called
Jul 25 02:22:40.288 UTC: dot1x_auth_bend Gi7/1: initial state auth_bend_initialize has idle
Jul 25 02:22:40.288 UTC: dot1x_auth_bend Gi7/1: during state auth_bend_initialize, got event 16383(idle)
Jul 25 02:22:40.288 UTC: @@@ dot1x_auth_bend Gi7/1: auth_bend_initialize -> auth_bend_idle
Jul 25 02:22:40.288 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_idle_enter called
Jul 25 02:22:40.288 UTC: dot1x-ev(Gi7/1): Created a client entry (0xA5000EEA)
Jul 25 02:22:40.288 UTC: dot1x-ev(Gi7/1): Dot1x authentication started for 0xA5000EEA (0000.0000.0000)
Jul 25 02:22:40.288 UTC: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet7/1
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): Posting !EAP_RESTART on Client 0xA5000EEA
Jul 25 02:22:40.290 UTC: dot1x_auth Gi7/1: during state auth_restart, got event 6(no_eapRestart)
Jul 25 02:22:40.290 UTC: @@@ dot1x_auth Gi7/1: auth_restart -> auth_connecting
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_connecting_enter called
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_restart_connecting_action called
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): Posting RX_REQ on Client 0xA5000EEA
Jul 25 02:22:40.290 UTC: dot1x_auth Gi7/1: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
Jul 25 02:22:40.290 UTC: @@@ dot1x_auth Gi7/1: auth_connecting -> auth_authenticating
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_authenticating_enter called
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_connecting_authenticating_action called
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): Posting AUTH_START for 0xA5000EEA
Jul 25 02:22:40.290 UTC: dot1x_auth_bend Gi7/1: during state auth_bend_idle, got event 4(eapReq_authStart)
Jul 25 02:22:40.290 UTC: @@@ dot1x_auth_bend Gi7/1: auth_bend_idle -> auth_bend_request
Jul 25 02:22:40.290 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_request_enter called
Jul 25 02:22:40.290 UTC: dot1x-ev(Gi7/1): Sending EAPOL packet to group PAE address
Jul 25 02:22:40.291 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:22:40.291 UTC: dot1x-registry:registry:dot1x_ether_macaddr called
Jul 25 02:22:40.291 UTC: dot1x-ev(Gi7/1): Sending out EAPOL packet
Jul 25 02:22:40.291 UTC: EAPOL pak dump Tx
Jul 25 02:22:40.291 UTC: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Jul 25 02:22:40.291 UTC: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Jul 25 02:22:40.291 UTC: dot1x-packet(Gi7/1): EAPOL packet sent to client 0xA5000EEA (0000.0000.0000)
Jul 25 02:22:40.291 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_idle_request_action called
Jul 25 02:22:40.307 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:22:40.307 UTC: dot1x-packet(Gi7/1): Queuing an EAPOL pkt on Authenticator Q
Jul 25 02:22:40.307 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:22:40.307 UTC: EAPOL pak dump rx
Jul 25 02:22:40.308 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x002A
Jul 25 02:22:40.308 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 2,TYPE= 1,LEN= 42
Jul 25 02:22:40.308 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:22:40.308 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002a
Jul 25 02:22:40.308 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:22:40.308 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgr
Jul 25 02:22:58.298 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:22:58.298 UTC: dot1x-packet(Gi7/1): queuing an EAPOL pkt on Auth Q
Jul 25 02:22:58.298 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:22:58.298 UTC: EAPOL pak dump rx
Jul 25 02:22:58.298 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Jul 25 02:22:58.298 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 0,TYPE= 0,LEN= 0
Jul 25 02:22:58.298 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:22:58.298 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Jul 25 02:22:58.298 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:22:58.298 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgr
Jul 25 02:23:03.306 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:03.306 UTC: dot1x-packet(Gi7/1): queuing an EAPOL pkt on Auth Q
Jul 25 02:23:03.306 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:23:03.307 UTC: EAPOL pak dump rx
Jul 25 02:23:03.307 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Jul 25 02:23:03.307 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 0,TYPE= 0,LEN= 0
Jul 25 02:23:03.307 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:23:03.307 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Jul 25 02:23:03.307 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:23:03.307 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgr
Jul 25 02:23:08.316 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:08.316 UTC: dot1x-packet(Gi7/1): queuing an EAPOL pkt on Auth Q
Jul 25 02:23:08.316 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:23:08.316 UTC: EAPOL pak dump rx
Jul 25 02:23:08.316 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Jul 25 02:23:08.316 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 0,TYPE= 0,LEN= 0
Jul 25 02:23:08.316 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:23:08.316 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Jul 25 02:23:08.316 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:23:08.316 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgr
Jul 25 02:23:11.160 UTC: dot1x-sm(Gi7/1): Posting EAP_REQ for 0xA5000EEA
Jul 25 02:23:11.160 UTC: dot1x_auth_bend Gi7/1: during state auth_bend_request, got event 7(eapReq)
Jul 25 02:23:11.160 UTC: @@@ dot1x_auth_bend Gi7/1: auth_bend_request -> auth_bend_request
Jul 25 02:23:11.160 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_request_request_action called
Jul 25 02:23:11.160 UTC: dot1x-sm(Gi7/1): 0xA5000EEA:auth_bend_request_enter called
Jul 25 02:23:11.160 UTC: dot1x-ev(Gi7/1): Sending EAPOL packet to group PAE address
Jul 25 02:23:11.160 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:11.160 UTC: dot1x-registry:registry:dot1x_ether_macaddr called
Jul 25 02:23:11.160 UTC: dot1x-ev(Gi7/1): Sending out EAPOL packet
Jul 25 02:23:11.160 UTC: EAPOL pak dump Tx
Jul 25 02:23:11.160 UTC: EAPOL Version: 0x3 type: 0x0 length: 0x0005
Jul 25 02:23:11.160 UTC: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
Jul 25 02:23:11.160 UTC: dot1x-packet(Gi7/1): EAPOL packet sent to client 0xA5000EEA (0000.0000.0000)
Jul 25 02:23:11.167 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:11.167 UTC: dot1x-packet(Gi7/1): Queuing an EAPOL pkt on Authenticator Q
Jul 25 02:23:11.167 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:23:11.167 UTC: EAPOL pak dump rx
Jul 25 02:23:11.168 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x002A
Jul 25 02:23:11.168 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 2,TYPE= 1,LEN= 42
Jul 25 02:23:11.168 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:23:11.168 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.002a
Jul 25 02:23:11.168 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:23:11.168 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgrtemin
Jul 25 02:23:30.169 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:30.169 UTC: dot1x-packet(Gi7/1): queuing an EAPOL pkt on Auth Q
Jul 25 02:23:30.169 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:23:30.169 UTC: EAPOL pak dump rx
Jul 25 02:23:30.169 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Jul 25 02:23:30.169 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 0,TYPE= 0,LEN= 0
Jul 25 02:23:30.169 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:23:30.169 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Jul 25 02:23:30.169 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:23:30.169 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to Autermin
Jul 25 02:23:35.176 UTC: dot1x-ev(Gi7/1): Role determination not required
Jul 25 02:23:35.176 UTC: dot1x-packet(Gi7/1): queuing an EAPOL pkt on Auth Q
Jul 25 02:23:35.176 UTC: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Jul 25 02:23:35.176 UTC: EAPOL pak dump rx
Jul 25 02:23:35.176 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
Jul 25 02:23:35.176 UTC: dot1x-ev:
dot1x_auth_queue_event: Int Gi7/1 CODE= 0,TYPE= 0,LEN= 0
Jul 25 02:23:35.176 UTC: dot1x-packet(Gi7/1): Received an EAPOL frame
Jul 25 02:23:35.176 UTC: dot1x-ev(Gi7/1): Received pkt saddr =f0de.f11a.4f3d , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000al no
Jul 25 02:23:35.176 UTC: dot1x-ev(Gi7/1): Couldn't find the supplicant in the list
Jul 25 02:23:35.176 UTC: dot1x-ev(Gi7/1): New client detected, issuing Start Request to AuthMgrmonit
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2013 02:57 AM
Are you connected behind a non cisco ip phone? If it is a cisco phone what model and version of code is the phone running. It will need to support the 2nd port cdp messaging to let the port know that client is no longer connected to the phone.
You can add the following command
Authetication timer inactivity 30 to clear the mac address on the port if no traffic is detected within the time frame and the mac addreas table ahould update when the client connects to the next switchport.
Thanks
Sent from Cisco Technical Support Android App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2013 07:45 PM
Hi Tarik,
For the test I am not connecting via a Cisco phone i'm trying a direct connection.
I will try the Authentication timer inactivity 30 command to see if this fixes the issue and will let you know
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide