dot1x with CISP(NEAT)

fschramke · ‎12-05-2011

I am currently setting up a couple C3560CG-8PC-S (Version 12.2(55)EX3) as conference room switches that can be passed out by the helpdesk. The location has mostly C3560-48 (Version 12.2(44)SE5). What I did so far is configure CISP for both switches and everything is working fine.

As soon as I start to configure the edge ports of the c3560CG for dot1x or mab ('dot1x pae authenticator' or 'mab') and the arp entries time out ('clear arp-cache' works too) the communication to the downstream switch dies. ARP entries are showing as incomplete, but I can see the arp request and the arp reply on the the uplink port of the 3560CG. As soon as I remove both commands again from the port configs the switch then processes the arp reply and can be reached again. What am I missing to configure dot1x on those edge ports?

Thanks,

Fabian

Tarik Admani · ‎12-08-2011

Are you handing down the av pair from the radius server to make it a trunk link? device-traffic-class=switch

fschramke · ‎12-09-2011

Hi Tarik,

Thanks for the reply.

The entire CISP part works; I do send the av-pair device-traffic-class=switch and the port configures as a trunk as expected and I can reach the supplicant switch.

My Problem starts as soon as I configure 'mab' or 'dot1x pae authenticator' on one of the edge ports of the DownStream Switch. The arp entries for the default gateway, radius server, etc. go into a timeout and that's it then.

hbg-test#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.154.77 - 6c9c.ed82.fdc1 ARPA Vlan200

Internet 192.168.154.1 0 001a.6c4d.4e80 ARPA Vlan200

hbg-test(config)#int g0/1

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms

hbg-test(config-if)#mab

hbg-test(config-if)#do clear arp-cache

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

hbg-test(config-if)#do sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.154.77 - 6c9c.ed82.fdc1 ARPA Vlan200

Internet 192.168.154.1 0 Incomplete ARPA

hbg-test(config-if)#no mab

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/10 ms

'debug arp' shows the outbound arp request but the replies don't show. With Wireshark I do see them coming in on the switch uplink port, they just don't get processed it seems.

Dec 6 10:01:41.021: IP ARP throttled out the ARP Request for 192.168.154.1

Dec 6 10:01:41.724: IP ARP throttled out the ARP Request for 192.168.154.1

Dec 6 10:01:42.023: IP ARP: sent req src 192.168.154.77 6c9c.ed82.fdc1,

dst 192.168.154.1 0000.0000.0000 Vlan200

Dec 6 10:01:43.024: IP ARP throttled out the ARP Request for 192.168.154.1

This is the port config I am trying:

interface GigabitEthernet0/1

switchport mode access

switchport port-security

authentication event fail action authorize vlan 280

authentication event server dead action authorize vlan 280

authentication event no-response action authorize vlan 280

authentication event server alive action reinitialize

authentication order mab dot1x

authentication priority dot1x

authentication port-control auto

mab <--- causes switch to stop responding

dot1x pae authenticator <--- causes switch to stop responding

dot1x timeout tx-period 5

dot1x timeout supp-timeout 5

dot1x max-start 2

spanning-tree portfast

Any ideas?

Tarik Admani · ‎12-09-2011

Fabian,

Can you open a TAC case on this so we can look at this together.

Thanks,

Tarik Admani

fschramke · ‎12-09-2011

Hi,

I already did; it may take a few days for our reseller to put the request through.

Sent from Cisco Technical Support iPhone App

bbonnet · ‎04-24-2014

about same Issue :

3560CG-8PC-S (Version 12.2(55)EX3 or 150-2.SE5) Uplink to 3750v2 (version 12.2(55)SE9)

Work well when "ip verify source" is disable on the interface

when ip verify source is enable " (with or without tracking option) authentication successed with IP traffic but 2 minuts later IP traffic is KO.

---> to workaround ( for 2 minutes) "clear ip arp-cache" on 3560C and traffic go on ....

---> or disable ip verify traffic

--

3750v2 interface running configation when authencation successed :

-----------------------------------------------------------------

interface FastEthernet1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
network-policy 1
ip device tracking maximum 5
srr-queue bandwidth share 1 70 25 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 102
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
no cdp enable

ip verify source
spanning-tree portfast trunk
spanning-tree bpduguard disable
------------------------------------------------------------

have you the case number ? please

regards

bernard