Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
3
Replies

PXE and 802.1x

rhub
Level 1
Level 1

‎01-05-2011 02:15 AM - edited ‎03-10-2019 05:41 PM

Hi all,

I've defined 802.1x on all access-ports of our Catalyst 3560 (12.2.(53)SE2.

Everything works fine until it comes to PXE. I see from traces and "show"-cmds that the client using PXE is moved from the data-vlan (vlan_id 4) to the guest-vlan (vlan_id 996); it sends a DHCPREQUEST, but never gets an ip_address out of the defined scope.

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   4    001c.2343.b63b    STATIC      Drop
Total Mac Addresses for this criterion: 1

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
996    001c.2343.b63b    DYNAMIC     Gi0/45
Total Mac Addresses for this criterion: 1

********************************************

Configs:

Global:

!

dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol

!

Interface:
interface GigabitEthernet0/45
switchport access vlan 4
switchport mode access
switchport voice vlan 504
switchport port-security maximum 5
switchport port-security aging time 360
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication control-direction in
authentication event fail action authorize vlan 996
authentication event server dead action authorize vlan 996
authentication event no-response action authorize vlan 996
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 5
dot1x max-req 5
dot1x max-reauth-req 5
storm-control broadcast level 2.00 1.00
storm-control multicast level 3.00 0.50
storm-control action trap
no cdp enable
spanning-tree portfast
service-policy input map_ipphone
ip dhcp snooping limit rate 25
end

As soon as I disable dot1x the client immediately gets an ip_address out of the defines scope.

Any hints are very much appreciated.

Best regards

Roman 

Labels:
0 Helpful
3 Replies 3

Federico Lovison
Cisco Employee
Cisco Employee

‎01-12-2011 01:38 AM

Hi Roman,

what's the output for the "show authentication session interface Gi0/45" when the problem happens?

I ask this as VLAN 996 is not only the guest VLAN but also the auth-fail and critical-auth VLANs as per your interface config, so you may want to check what caused the client to be assigned to that VLAN.

You may want to collect further debugs so to follow the auth process, such as:

debug radius

debug dot1x all

debug aaa authentication

debug aaa authorization

I hope this helps.

Regards,

Federico

--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful

bthuer
Level 1
Level 1
In response to Federico Lovison

‎01-12-2011 02:06 AM

Hi Frederico,

many thanks for replying to my question. The output of "show mac address-table int gi0/45" and "show authentication session int gi0/45" are as follows:

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
996    001c.2343.b63b    STATIC      Gi0/45
Total Mac Addresses for this criterion: 1
HAUO001#sh mac address-table int gi0/45
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
996    001c.2343.b63b    STATIC      Gi0/45
Total Mac Addresses for this criterion: 1

HAUO001#sh authentication sessions int gi0/45
          Interface:  GigabitEthernet0/45
          MAC Address:  Unknown
           IP Address:  Unknown
          Status:  Running
          Domain:  UNKNOWN
          Security Policy:  Should Secure
          Security Status:  Unsecure
          Oper host mode:  multi-domain
          Oper control dir:  in
          Session timeout:  N/A
          Idle timeout:  N/A
         Common Session ID:  AC1B0406000067E944DEF8F0
         Acct Session ID:  0x0000804F
         Handle:  0xDF00078E

Runnable methods list:
       Method   State
       dot1x    Running

I did traces many times reflecting different situations and strange enough: sometimes the same client gets an IP address out of the guest VLAN 996 and sometimes it doesn't. In any case the clienst send the DHCPDISCOVER but not alwas get a DHCPOFFER.

I will run a test in a special environment this afternoon using another DHCP server.

Regards

Roman

0 Helpful

Federico Lovison
Cisco Employee
Cisco Employee
In response to bthuer

‎01-12-2011 05:43 AM

Hi Roman,

The show command shows that dot1x is still running at the time you got it.

I see that you use MDA on the port:

- Does this problem happen with and without an IP phone connected to the port?

- What does happen if you wait for few minutes before checking again the port status?

I ask this as 12.2(53)SE is affected by bug CSCtg26941 which you may be hitting here.

In order to rule this out I would suggest to test the behavior with the latest 12.2(55)SE1 code.

If this doesn't fix the problem I would rather suggest to open a TAC case so to further investigate this problem.

I hope this helps.

Thanks,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents