Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1412
Views
5
Helpful
2
Replies

Problem with 802.1x on C2960S-48TS-L

zuev_oleg
Level 1
Level 1

‎10-19-2021 03:51 AM - edited ‎10-19-2021 06:14 AM

Sometimes after rebooting device connected to 801.x port this device successfully perfoming 802.1x authentication

Oct 19 13:29:27.869 MSK: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/23, changed state to down
Oct 19 13:29:28.980 MSK: %AUTHMGR-5-START: Starting 'dot1x' for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:30.831 MSK: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/23, changed state to up
Oct 19 13:29:30.836 MSK: %DOT1X-5-SUCCESS: Authentication successful for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:30.889 MSK: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023C057D460F9
Oct 19 13:29:31.832 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/23, changed state to up
Gi3/0/23     1060.4b76.0515 dot1x   DATA    Auth      00000000000023C057D460F9

But port blocking any traffic to/from this device.

After wait a few minutes - starting new "Auth" session and this port is working normally

Oct 19 13:36:32.462 MSK: %AUTHMGR-5-START: Starting 'dot1x' for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729
Oct 19 13:36:32.656 MSK: %DOT1X-5-SUCCESS: Authentication successful for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729
Oct 19 13:36:33.270 MSK: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1060.4b76.0515) on Interface Gi3/0/23 AuditSessionID 00000000000023CB57DAD729

If i shudown/no shutdown or reconnect ethernet wire - starting a new "Auth" sesssion and port working fine.

Port configuration:

interface GigabitEthernet3/0/23
 description ### Universal WorkPort ###
 switchport access vlan 42
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 400
 switchport port-security maximum 3
 switchport port-security violation  restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 ip arp inspection limit rate 50
 authentication event fail action authorize vlan 997
 authentication event no-response action authorize vlan 997
 authentication host-mode multi-auth
 authentication port-control auto
 authentication periodic
 authentication timer inactivity 15
 mab
 mls qos trust device cisco-phone
 dot1x pae authenticator
 storm-control broadcast level 1.50
 storm-control action shutdown
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 100
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(2)E9, RELEASE SOFTWARE (fc4)

On another switch models this configuration working without problems.

 

Any idea how to fix this?

 

 

Labels:
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-19-2021 02:29 PM

The first thing you should try is removing the 'switchport port-security' configuration from the switchport. It is not compatible with the mab/dot1x NAC features running on the same switchport and can cause race conditions and unpredictable behaviour.

The same is true of any Catalyst switch model.

0 Helpful

zuev_oleg
Level 1
Level 1
In response to Greg Gibbs

‎10-20-2021 03:53 AM

Removing 'switchport port-security' configuration not helped.

PS. If remove port-security configuration - how to defend from 'mac flooding' type attack?

0 Helpful
Customers Also Viewed These Support Documents