cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3480
Views
0
Helpful
5
Replies

dot1x with CISP(NEAT)

fschramke
Level 1
Level 1

I am currently setting up a couple C3560CG-8PC-S (Version 12.2(55)EX3)  as conference room switches that can be passed out by the helpdesk. The location has mostly C3560-48 (Version 12.2(44)SE5). What I did so far is configure CISP for both switches and everything is working fine.

As soon as I start to configure the edge ports of the c3560CG for dot1x or mab ('dot1x pae authenticator' or 'mab') and the arp entries time out ('clear arp-cache' works too) the communication to the downstream switch dies. ARP entries are showing as incomplete, but I can see the arp request and the arp reply on the the uplink port of the 3560CG. As soon as I remove both commands again from the port configs the switch then processes the arp reply and can be reached again. What am I missing to configure dot1x on those edge ports?

Thanks,

Fabian

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Are you handing down the av pair from the radius server to make it a trunk link? device-traffic-class=switch

Hi Tarik,

Thanks for the reply.

The entire CISP part works; I do send the av-pair device-traffic-class=switch and the port configures as a trunk as expected and I can reach the supplicant switch.

My Problem starts as soon as I configure 'mab' or 'dot1x pae authenticator' on one of the edge ports of the DownStream Switch. The arp entries for the default gateway, radius server, etc. go into a timeout and that's it then.

hbg-test#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.154.77          -   6c9c.ed82.fdc1  ARPA   Vlan200

Internet  192.168.154.1           0   001a.6c4d.4e80  ARPA   Vlan200

hbg-test(config)#int g0/1

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms

hbg-test(config-if)#mab

hbg-test(config-if)#do clear arp-cache

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

hbg-test(config-if)#do sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.154.77          -   6c9c.ed82.fdc1  ARPA   Vlan200

Internet  192.168.154.1           0   Incomplete      ARPA

hbg-test(config-if)#no mab

hbg-test(config-if)#do ping 192.168.154.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.154.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/10 ms

'debug arp' shows the outbound arp request but the replies don't show. With Wireshark I do see them coming in on the switch uplink port, they just don't get processed it seems.

Dec  6 10:01:41.021: IP ARP throttled out the ARP Request for 192.168.154.1

Dec  6 10:01:41.021: IP ARP throttled out the ARP Request for 192.168.154.1

Dec  6 10:01:41.724: IP ARP throttled out the ARP Request for 192.168.154.1

Dec  6 10:01:41.724: IP ARP throttled out the ARP Request for 192.168.154.1

Dec  6 10:01:41.724: IP ARP throttled out the ARP Request for 192.168.154.1

Dec  6 10:01:42.023: IP ARP: sent req src 192.168.154.77 6c9c.ed82.fdc1,

                 dst 192.168.154.1 0000.0000.0000 Vlan200

Dec  6 10:01:43.024: IP ARP throttled out the ARP Request for 192.168.154.1

This is the port config I am trying:

interface GigabitEthernet0/1

switchport mode access

switchport port-security

authentication event fail action authorize vlan 280

authentication event server dead action authorize vlan 280

authentication event no-response action authorize vlan 280

authentication event server alive action reinitialize

authentication order mab dot1x

authentication priority dot1x

authentication port-control auto

mab                                   <--- causes switch to stop responding

            dot1x pae authenticator    <--- causes switch to stop responding

dot1x timeout tx-period 5

dot1x timeout supp-timeout 5

dot1x max-start 2

spanning-tree portfast

Any ideas?

Fabian,

Can you open a TAC case on this so we can look at this together.

Thanks,

Tarik Admani

Hi,

I already did; it may take a few days for our reseller to put the request through.

Sent from Cisco Technical Support iPhone App

bbonnet
Level 1
Level 1

about same Issue :

3560CG-8PC-S (Version 12.2(55)EX3 or 150-2.SE5) Uplink to 3750v2 (version 12.2(55)SE9)

Work well when "ip verify source" is disable on the interface

when ip verify source is enable " (with or without tracking option) authentication successed with IP traffic but 2 minuts later IP traffic is KO.

---> to workaround ( for 2 minutes) "clear ip arp-cache" on 3560C and traffic go on ....

---> or disable ip verify traffic 

--

3750v2 interface running configation when authencation successed :

-----------------------------------------------------------------

interface FastEthernet1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 network-policy 1
 ip device tracking maximum 5
 srr-queue bandwidth share 1 70 25 5
 priority-queue out
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 102
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
  no cdp enable

ip verify source
 spanning-tree portfast trunk
 spanning-tree bpduguard disable
------------------------------------------------------------

have you the case number ? please

regards

bernard