Showing results for 
Search instead for 
Did you mean: 

Dot1x issues


I had dot1x working with a guest vlan, data vlan and voice vlan.  I have upgraded my IOS and now im having this issue:

1.  IP Phone can register with cisco call manager (Great)

2.  Plug in a computer on the domain with a certificate into the phone and dot1x allows it on the network (Great).

3.  Plug my macbook into the switch port of the IP Phone and it times out and doesnt kick the macbook into the guest vlan (Sucks)  It just gets an APIPA ip address

I get these errors:

%DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa6/35 AuditSessionID 0A820C01000004CE1F6FCAE6

I guess its going off the mac address of the machine when its plugged into the phone is there any way to disable this and have it dump straight into the guest vlan if there is no suppliment or the suppliment fails?

I had this working working perfectly before the IOS upgrade   I am running IOS verison cat4500-ipbasek9-mz.150-2.SG.bin  I am running the Cisco 4507 with dual supervisor boards

Mod Ports Card Type                              Model             


1     2  Supervisor II+ 1000BaseX (GBIC)        WS-X4013+         

2     2  Supervisor II+ 1000BaseX (GBIC)        WS-X4013+        

3    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45 

4    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45

5    48  10/100/1000BaseT (RJ45)                WS-X4548-GB-RJ45

6    48  10/100BaseTX (RJ45)V, Cisco/IEEE       WS-X4248-RJ45V

7    48  10/100BaseTX (RJ45)V, Cisco/IEEE       WS-X4248-RJ45V

Here is what I have configured on my testing port:

interface FastEthernet6/35

switchport mode access

switchport voice vlan 50

logging event link-status

authentication event fail retry 5 action authorize vlan 69

authentication event no-response action authorize vlan 69

authentication host-mode multi-host

authentication order dot1x

authentication priority dot1x

authentication port-control auto

authentication timer restart 10800

authentication timer reauthenticate 10800

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout server-timeout 10

dot1x timeout tx-period 5

dot1x max-reauth-req 1

spanning-tree portfast

Now here is the kicker, if I unplug my phone and plug in my macbook pro into the port directly it bumps the port into VLAN 69 which is the guest vlan and what I wanted.  So it has something to do with the port not transitioning to the guest vlan while plugged into the IP Phone.

Any clues?

7 Replies 7

Tarik Admani

Auth fail vlan assignment is only supported on single host mode found here -

See if you can set this port to single host and try again.


Thank you for this information, ill look into this but this was working fine with a voice vlan and auth fail vlan assignment before I moved to the new IOS.  

What is really odd is when I reboot the phone and plug the mac book into the second port the macbook gets dumped into the guest vlan (which is what I want).  If I unplug the macbook and plug in a computer that is on our domain (and uses dot1x to authenicate) It gets dumped into the data vlan (which is what I want).  Now if I unplug the domain laptop and plug my macbook back into that port I get an APIPA address.  If I reboot the phone again plug the macbook in it gets dumped to the guest vlan.  I unplug the macbook and wait a few minutes and plug the macbook in again I get dumped into the guest vlan again.

So it works until I remove the guest machine and plug in a domain computer, its like the port doesnt transition back to an unauthenicated port. 

What version of phone are you running on this port (show cdp  neighbors detail) keep in mind that these phones need to be deployed  with the 2nd port feature enabled. Also if you do show mac address  interface type x/x, do you still see the mac address of the previous  laptop/macbook, still on the port?



To answer your first question:

Device ID: SEP002584A27BC9

Entry address(es):

  IP address:

Platform: Cisco IP Phone 7942,  Capabilities: Host Phone Two-port Mac Relay

Interface: FastEthernet6/35,  Port ID (outgoing port): Port 1

Holdtime : 127 sec

Second Port Status: Down

Version :


advertisement version: 2

Duplex: full

Power drawn: 6.300 Watts

Power request id: 31689, Power management id: 3

Power request levels are:6300 0 0 0 0

Management address(es):

(No computer is plugged into the phone at the moment)

Im not sure what you mean that the second port feature enabled, isnt that on default?  Since I can connect to the network fine on the second network card I assume that is what you mean.  Ill check the mac address issue today!

i think you shoudl have this configured : dot1x port-control auto

The new IOS doesnt support that command, what you are talking about is done by issuing the command "authentication port-control auto" which I have done. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers