Re: 802.1x problem - 'timeout' from 'dot1x'

CSCO11448607 · ‎06-04-2013

Hello.

Sorry for my bad english.

Environment

supplicant: Windows 7 x86_64 with computer certificate

authenticator: catalyst c2960s ios 150-2.SE2

authentication server: 2x - Windows server 2012 NPS

authentication method: EAP-TLS

Switch configuration

interface GigabitEthernet1/0/11

description 5-13-2

switchport access vlan 340

switchport mode access

ip arp inspection limit rate 100

authentication control-direction in

authentication event server dead action authorize vlan 340

authentication port-control auto

authentication violation restrict

dot1x pae authenticator

dot1x max-req 3

dot1x max-reauth-req 3

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 100

!

Problem

Оccasionally when computer is turned on, the authentication fails.

After disable/enable network interface on the computer (or after reboot computer), the authentication successful.

Log messages:

Jun 4 08:13:37 10.13.90.2 62971: gmt-sw-phd-01: Jun 4 2013 04:13:37.470 UTC: %DOT1X-5-FAIL: Authentication failed for client (80c1.6eef.c2e4) on Interface Gi1/0/12 AuditSessionID 0A0D5A02000027E85FC6C57D

Jun 4 08:13:38 10.13.90.2 62972: gmt-sw-phd-01: Jun 4 2013 04:13:37.470 UTC: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (80c1.6eef.c2e4) on Interface Gi1/0/12 AuditSessionID 0A0D5A02000027E85FC6C57D

What do I need do to solve this problem?

Thank you.

cweatherford · ‎06-04-2013

I have started having issues with my 2960's and 802.1x as well. I am running IOS 12.2(52)SE. Sometimes a reboot or port restart works but lately that has stopped working. We are using the AnyConnect client as our supplicant with user/password to ACS 4.2 server for Windows.

Any help would be awesome!

manjeets · ‎07-18-2013

Kindly review the below link:

www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

CSCO11448607 · ‎07-19-2013

Thank you.