Yes, all the interface has the same config just like this,

interface GigabitEthernet1/0/10
description client-voice
switchport access vlan 102
switchport mode access
ip access-group ACL-PreAuth in
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree bpduguard enable
end

That looks pretty straightforward. I didn't see anything obvious when doing a quick check of documented bugs in either the 2960-X or ISE Release notes.

I'd compare the output of "show authentication session int (interface number)" for a working and non-working port. Also have a look at the detailed operations output on the ISE server, filtering on those ports.

Hi Marvin,

I run command "show authentication session int (interface number)" in my switch.

I also can't see any difference between the working-port and non working-port.

The detail as below,

The SWITCH2 is MASTER switch

swt001#sh switch
Switch/Stack Mac Address : 2834.a26d.6280
                                           H/W   Current
Switch#  Role   Mac Address     Priority Version  State
----------------------------------------------------------
 1       Member 2834.a27d.cf80     1      4       Ready               
*2       Master 2834.a26d.6280     1      4       Ready               
 3       Member 2834.a27d.d880     1      4       Ready               
 4       Member 2834.a2c4.9780     1      4       Ready  

The port in MASTER switch config

swt001#sh authentication sessions interface gigabitEthernet 2/0/2
            Interface:  GigabitEthernet2/0/2
          MAC Address:  ecf4.bb1b.89f1
           IP Address:  10.27.82.212
            User-Name:  PC600284.nneas.net
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-NP_Users-508fa32a
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A1B5F3D000034D882F139E3
      Acct Session ID:  0x00003813
               Handle:  0x40000468

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

The port in MEMBER switch config

swt001#sh authentication sessions interface gigabitEthernet 1/0/1
            Interface:  GigabitEthernet1/0/1
          MAC Address:  d4be.d948.bb8d
           IP Address:  10.27.82.197
            User-Name:  PC502661.nneas.net
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-NP_Users-508fa32a
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A1B5F3D000034D382ED9DA0
      Acct Session ID:  0x0000380D
               Handle:  0x6E000597

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

Based on seeing two different MAC addresses and usernames on the output above, you appear to be using two different machines.

Does the member switch work when you use the machine that works on the master switch? If so, that would seem to imply it is an end user (workstation) issue.

Thanks for reply...

Actually I used 2 differect PC to test it today. but before 2 weeks ago, I have been tested it using one PC. The whole story as below.

Firstly, I using my PC to connect to the MASTER switch (switch 2 in this case), and then it can get personal & computer cert smoothly.

Second, I using the same PC to connect to MEMBER switch (whatever switche 1, ,3, 4 in this case), unlucky, this PC can't get the personal & computer cert at this time.

Base on this, I suspect the root cause is not the end user (workstation) I think..

BTW, we have 2 stacking switch in our office, another stack switch also have this problem.

BR

Frank

It could be you are hitting a bug - sometimes unpublished ones can affect you. I'd recommend opening a TAC case on the issue.

Thanks Marvin, I agree with you, It's so strange.

I will contact TAC to test it.

/Frank