08-05-2010 01:30 PM - edited 03-10-2019 05:18 PM
Hi, all.
I have a very strange problem when turning on 802.1x/MAB on Cisco IOS 12.2.54 running on Cat45xx switches.
Here is a config sample of a port:
interface GigabitEthernet9/48
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
no logging event link-status
load-interval 60
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive off
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast
Cisco ACS 5.1 is running as an radius/tacacs appliance in the network.
Since we have many non-certificate-capable devices, MAB is used first to authenticate these devices, for many
devices the radius server sends down a specific vlan id for that port.
All of this works fine !!!!
Now for the problem:
Some devices authenticate fine with mab, but after a few minutes these devices stop responding to the network,
pings are not answered anymore.
"show authen sessions" for this port shows everything good:
show authentication sessions int gig9/48
Interface: GigabitEthernet9/48
MAC Address: 000d.1234.5678
IP Address: 10.aa.bb.cc.dd
User-Name: 00-0D-12-34-56-78
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: zzz
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A540423000015FE74510567
Acct Session ID: 0x00001608
Handle: 0x34000609
Runnable methods list:
Method State
mab Authc Success
dot1x Failed over
When i shutdown and reenable the interface, show auth sessions changes to:
show authentication sessions int gig9/48
Interface: GigabitEthernet9/48
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A5404230000160676F62524
Acct Session ID: 0x00001613
Handle: 0x24000610
Runnable methods list:
Method State
mab Running
dot1x Not run
After a variable time period (sometimes 2 minutes, sometimes 2 hours) the port learns or sees the
mac address again, authenticates it and pings start to respond again, but also for a variable time period only
and the whole thing starts over (pings lost, ......)
I guess this is a .1x issue, because if I configure the port as a normal switchport (mode access, access vlan "zzz", span portfast),
the devices show no problems at all, always reachable, no packets lost.
Did I miss anything ??
Anyone encountered any similar problems ???
10-01-2010 01:04 AM
Hi, I have experiensed a similar problem, I have a C4506 sup 4, with gig interfaces. I have ACS5.1 and if I enable dot1X on a access-port it works fine in multi-host mode but when I switch to multi-domain it stops working, the pc and phone gets an IP address but they are not able to communicate, not even pinging the default GW. Directiy after the switch to multi-domain (from multi-host) the phone and pc works but if i do a shut no shut on the interface it stops working. I have logged a case with TAC and wating for an answer. I run the latest release 12.2(54)
/ Magnus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide