Buy or Renew
Buy or Renew
This forum is no longer in read-only mode. See this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
100
Views
0
Helpful
0
Replies

CBS350 – 802.1X EAP-TLS OK but no DHCP reply when using built-in DHCP

LauraShort
Community Member

‎12-08-2025 12:20 PM

Hi,

I’m currently testing 802.1X EAP-TLS on a Cisco CBS350-12XT lab switch with FreeRADIUS, and I’m seeing an issue with DHCP when using the built-in DHCP server.

Environment
– Switch: Cisco CBS350-12XT
– RADIUS: FreeRADIUS 3.2.5 (Ubuntu)
– Auth method: 802.1X EAP-TLS
– Access VLAN: VLAN 10, SVI 192.168.10.1/24
– DHCP: internal DHCP server on the CBS350, pool for 192.168.10.0/24
– Supplicant: Linux, MAC 3c:18:a0:0d:e5:f9

Port configuration (Te1/0/10)
interface TenGigabitEthernet1/0/10
description P10-NAC-by-Cert
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 10
!

GUI shows:
– 802.1X Based Authentication: Enable
– MAC Based Authentication: Enable
– RADIUS VLAN Assignment: Disable
– Current Port Control: Authorized (after auth)
– Port VLAN Membership: Access 10U (administrative and operational)

What we see
– FreeRADIUS logs show a complete EAP-TLS exchange and an EAP Success + Access-Accept (MS-MPPE keys are returned).
– The switch logs show %SEC-I-PORTAUTHORIZED on Te1/0/10, and the GUI reports the port as Authorized.
– A packet capture on the supplicant interface shows multiple DHCPDISCOVER messages (0.0.0.0 → 255.255.255.255, UDP 68→67) being sent after the port is Authorized.
– However, no DHCP server response (DHCPOFFER / DHCPACK) is ever seen on the client side (no UDP 67→68 in the pcap).

We already checked:
– RADIUS side is fine (no Access-Reject, EAP works repeatedly).
– Existing DHCP leases for this MAC have been cleared/expired; behaviour is unchanged.
– Capture is done directly on the client interface, so if the CBS350 DHCP server was sending DHCPOFFER, we would see the frames even if the OS dropped them.
– The port is not shut or err-disabled; it stays Authorized.

Questions
– Is the following scenario officially supported on CBS350: 802.1X EAP-TLS + static access VLAN (10) + built-in DHCP server for this VLAN?
– Are there any known caveats or additional settings when using the internal DHCP server together with 802.1X on CBS350?
– Any recommended debug commands on CBS350 to trace how the DHCPDISCOVER is handled internally?

We plan to run additional tests (same port without 802.1X, external DHCP server, static IP on client), but I’d really appreciate your feedback on whether this is a supported and validated setup on CBS350.

Thanks in advance.



Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents