cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1510
Views
0
Helpful
2
Replies

ESW 520 802.1x re authentication problem

ngtransge
Level 1
Level 1

Hello

I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:

                Reason: 0x70004

                Reason Text: The network stopped answering authentication requests

                Error Code: 0x0

If I connect same hosts on Catalyst 2960 switch, they work successfully.

2 Replies 2

Hi  ngtransge

There are  tree possible explanations about  why the authentications  fails.

A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.

To verify the client has a domain certificate:

1. Click Start and click Run.

2. Type mmc, and then press ENTER.

3. On the File menu, click Add/Remove Snap-in.

4. Click Certificates, click Add, select Computer account, and then click Next.

5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.

6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.

On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.

B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.

C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)

Greetings, Johnnatn Rodriguez Miranda

Hello,

I have checket double of times there is no ACL and Certificates are valid. It is fresh deploiment, and currently I am testing it in LAB.

I have observed that this condishen happening only when switch port is in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X