08-07-2025 10:25 AM
Hello, as we have begun deploying Clearpass, we originally were running into the issue where mac auth and wired auth were running at the same time not allowing devices to connect to the network. Even though the return wired captive portal still persists, we were under the impression things were running normally. But now users are reporting that they are having to restart their computer every morning to get connected to the network, some have even stated it kicks them off the network during business hours. We are using Cisco 3850 switches. Here is our policy map, template we are using on the port configs, and some logs from the wired captive portal being returned. If anyone has any idea or insight that would be very much appreciated.
We also have noticed when we changed the dot1x timeout server-timeout longer (originally 30), it caused devices using mac-auth to not authenticate in time resulting in no IP assignment. Also this is occurring on devices that are daisy chained with an Avaya IP Phone.
Different device
08-07-2025 10:30 AM
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html <<- follow this guide to config IBNS 2.0
MHM
08-07-2025 11:58 PM
Hi @jscott01
User below configs :
dot1x timeout server-timeout 8
dot1x timeout tx-period 5
dot1x max-req 3
dot1x max-reauth-req 1
## add this one also
authentication order dot1x mab
authentication priority dot1x mab
also you can change authentication timer reauthenticate server to authentication timer reauthenticate 86400
test it and you can share result .
Thanks !
08-11-2025 06:09 AM
when I run authentication ?
I only get the options for periodic and timer
08-11-2025 09:35 AM
event session-started match-all
5 activate service-template DOT1X-MAB-TIMER
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
!
!
service-template DOT1X-MAB-TIMER
inactivity-timer 600
session-timeout 3600
You use IBNS so config is different' I found above way to config session timeout (after this time user neeed ro re-auth)
Note:- use new policy name and apply it to one or two port and check' if it work apply to all port
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide