Showing results for 
Search instead for 
Did you mean: 

Dot1x authenication problem


we have dot1x configured on a site for authentication. upon failure of authentication the switchport is put into a guest vlan which is just a vlan going no where. we are seeing multiple failures for some reason causing several machines to get dumped into guest vlan. the only resolution in place at this site is to login to the devices having problems, delete the machine's certificate, reinstall, reboot. im curious how the client certificate is causing problems for login and what can be done for a more long term fix.

i know there is not a lot of information here. i can provide whatever is needed to help assist me. thanks

1 Reply 1

Scott Reu
Cisco Employee
Cisco Employee

I have a few questions about this network:

-To clarify: the problem you're having is that users who should be authenticated by your server are being failed over to the guest VLAN, correct?

-Is there any kind of noticeable pattern among failed ports? Does the configuration of the ports that are failing over differ at all from the ports that are authenticating correctly?

-Do you have dot1x configured and working (without this issue) at another site? Can you post the port and aaa/dot1x configs from an authenticator at that site for the sake of comparison?

-What kind of database does your authenticator switch check against? Is it Active Directory? If so, what version?

-Is dot1x configured to use certificates for authentication? Are you running EAP-TLS on your network?

-Can you post the configurations of the switchports on the authenticator switch where this is taking place, as well as the aaa/dot1x global config?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: