Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
1
Helpful
6
Replies

Cisco 3850 switches - IP Address Delayed for 802.1x and MAB Devices

jmins
Level 1
Level 1

‎10-19-2023 11:36 AM

Hi, we have several Cisco 3850 switches (WS-C3850-48P) that are all experiencing the same issue with various devices.  We have printers and laptops that take several minutes to obtain an IP address.  Sometimes the radius server sees the devices successfully authenticate in logs and sometimes not even when it eventually receives an IP address. The printers are MAB devices and the laptops are 802.1x.  We're not sure if this is related to the radius server, the switch configuration, or both.  Any idea what could be causing this delay?

Below are the switch port configurations:

Printers

switchport access vlan 100

switchport mode access

switchport port-security maximum 3

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority mab dot1x

authentication port-control auto

authentication violation replace

mab

dot1x pae authenticator

storm-control broadcast level 80.00

storm-control action shutdown

auto qos trust

 spanning-tree portfast

service-policy input AutoQos-4.0-Trust-Cos-Input-Policy

service-policy output AutoQos-4.0-Output-Policy

 

Laptops

switchport access vlan 130

switchport mode access

switchport voice vlan 132

switchport port-security maximum 3

access-session host-mode multi-domain

access-session closed

access-session port-control auto

mab

dot1x pae authenticator

storm-control broadcast level 80.00

storm-control action shutdown

auto qos trust

 spanning-tree portfast

service-policy type control subscriber POLICY_Gi1/0/30

end

Labels:
6 Replies 6

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎10-19-2023 12:00 PM

hello @jmins , the authentication in terms of dot1x and mab is done at layer 2 hence it's not necessary for the supplicant to have initially an IP address to start the authentication process as the switch will handle the radius session related to the switchport. 

The default behavior of a a switchport with dot1x is the following: it will receive EAPol packets to forward the authentication to the server, when the authentication finishes and it's successful,  the DHCP, TCP, and more connections will be allowed as it's displayed in this image , for your reference Wired 802.1X Deployment Guide 

RodrigoDiaz_0-1697741356233.jpeg

The ISE or Radius server  will update the endpoint with the IP once the supplicant gets/updates the IP with a feature called device-tracking, hence if you want to see accurate IP-MAC relationship in the ISE it's important that you have that feature configured. 

Once clarified the last points, I would check the reason of failure of the endpoints authentication failure in the cases you mention, and for the delay in the endpoints authenticated I would place a capture to verify that the DORA process with your DHCP server is completed. 

Let me know if it was helpful. 

0 Helpful

jmins
Level 1
Level 1

‎10-19-2023 12:19 PM

Hi Rodrigo,

Thank you for the information.  However, I am not using ISE so I'm not sure if that "device-tracking" feature applies here.  We have various sites and this is the only site with these switches that are experiencing significant delays in receiving an IP address.

0 Helpful

Dustin Anderson
VIP
VIP

‎10-19-2023 12:44 PM - edited ‎10-19-2023 12:49 PM

There are a lot of possible issues. but the ones you need to look at is how are the devices getting DHCP?

Do you have a server on site, or is it at a home office location?

Do the devices stay on the same network, or are you changing vlans?

Do you have any type of DHCP snooping in place, and if so are all the uplinks trusted?

Do you have the helpers set on the default gateway?

 

As Rodrigo stated, 802.1x and MAB don't require the IP address, so if you are seeing issues there also there could be issues in the data path causing issues. You would need to check your RADIUS logs to see if the requests are coming in, and for DHCP look to see if a request comes in and an offer sent.

0 Helpful

jmins
Level 1
Level 1
In response to Dustin Anderson

‎10-23-2023 11:20 AM

Each switch is configured with its own DHCP pool. For instance, a switch located on a specific floor would be set up as follows:

 
ip dhcp pool Desktops network 10.30.34.0 255.255.254.0 option 130 ip 10.50.0.21 10.50.0.20 10.50.1.21 default-router 10.30.54.1 dns-server 10.103.232.180 10.203.100.10 10.113.253.180 domain-name avidxchange.com

The interface vlan on that device is assigned the IP address 10.30.54.1 with a subnet mask of 255.255.254.0. The 5W printer connected to that switch is on vlan.

This issue persists whether or not a DHCP reservation is in place, and there are no IP address helper or DHCP snooping configurations in effect.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-20-2023 11:39 PM

switchport port-security maximum 3 <- the port secuirty is not recommend at all with dot1x 

access-session host-mode multi-domain <- why multi-domain you need to make it multi-auth instead.

0 Helpful

jmins
Level 1
Level 1
In response to MHM Cisco World

‎10-23-2023 11:20 AM

We tried removing the port security and changed the host modes previously to no avail.

0 Helpful
Customers Also Viewed These Support Documents