Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
5
Helpful
2
Replies

Removing 802,1x globally

Elton Babcock
Level 1
Level 1

‎01-15-2013 01:38 PM - edited ‎03-10-2019 07:58 PM

Hello,

Quick question on an issue I have been having lately. We are mostly running 802.1x on our field 2950 switches with a Windows 2008 NAP server as a backend in our datacenter.

If we run into issues at a site will will temporarily remove 802.1x globally from the switch by using the command:

no dot1x system-auth control

This works great and puts all of the ports back into the data VLAN.

We have recently upgraded to some 2960s lanlite switches and some 3750 switches in the home office. If we have issues with authentication on one of these switches we will issue the same command but this time it breaks every access port and no one can connect from this switch.

We do have the configs setup to use MAB as a backup on each port and it appears on these switches the ports begin to fail MAB authentication even though 802.1x has been globally removed. We need to remove the authentication commands from every port on the switch.

This doesn't seem normal to me and I want to know if anyone else has seen the same behavior or has a work around. We don't want to have to remove from every port as doing it globally makes sense for temporary fixes.

Thanks, Elton

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎01-15-2013 03:17 PM

Elton,

Your assumption is correct. The recent codes require you to remove "dot1x pae authenticator" and possibly "authention port-control auto" on all the switch ports in order to remove dot1x. You can no longer get away with this but using the command you were used to in the past. This is based on my testing since I have also been presented with the same scenario in the past.

Thanks,

Tarik Admani
*Please rate helpful posts*

Elton Babcock
Level 1
Level 1
In response to Tarik Admani

‎01-15-2013 04:21 PM

I am going to open TAC case with Cisco tomorrow on this as I would like to know the logic behind this and why it has changed so drastically from the older codes.

Maybe they can give me a workaround. Ill update with what I find out. If anyone else has anything to add please do.

Elton

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents