Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
3
Replies

Dot1x clients not authenticated after reload

Joris Deprouw
Level 1
Level 1

‎09-24-2012 02:24 AM - edited ‎03-10-2019 07:34 PM

Hi all,

I have a switch setup with dynamic vlan assignment. Everything works fine until the switch is rebooted. Then none of the pc's are authenticated anymore. I have to do a shut/no shut of all the user ports to start the re-authentication of the pc's.

This is the config I have so far. Am I missing something?

Thanks,

Best Regards,

Joris

Global commands

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa authorization exec default local if-authenticated
aaa authorization commands 1 default local if-authenticated
aaa authorization commands 15 default local if-authenticated
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key *****
radius-server vsa send accounting
radius-server vsa send authentication

Interface-specific commands

switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
authentication event fail action authorize vlan 200
authentication event server dead action authorize vlan 110
authentication event no-response action authorize vlan 200
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x max-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
           

Labels:
0 Helpful
3 Replies 3

PAUL SHELTON
Level 1
Level 1

‎09-24-2012 03:55 AM

I believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail.

Sent from Cisco Technical Support iPhone App

0 Helpful

Joris Deprouw
Level 1
Level 1
In response to PAUL SHELTON

‎09-24-2012 03:58 AM

Hello Paul,

So If I add the following line to my interface specific config it should be ok.

"authentication timer reauthenticate server"

I'll give it a try.

Thanks,

Best Regards,

Joris

0 Helpful

PAUL SHELTON
Level 1
Level 1

‎09-24-2012 04:03 AM

More like

Authentication event server alive action reinitialize (or reauthenticate). It's an R word. The command is definitely an auth event command not a timer however. Think of it as post failure recovery.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents