cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1494
Views
0
Helpful
11
Replies

802.1X Strange port behavior

laphil
Level 1
Level 1

Very strange problem... when we put a port back onto a static access vlan port from a 802.1x configured port... basically removing the 802.1x configuration on the port and reconfigure back to static access vlan port the host on the port can no longer get an ip address or have network access although the port status shows up.

Any idea why this 802.1x configured port on a cisco 3560 switch is behaving like this?

We have to do a reload on the switch in order to allow the host on that port to communicate to the network.

1 Accepted Solution

Accepted Solutions

Yes it was the same issue on the same version of code 12.2(55)SE.  It was an issue on my 3750's and 3560's.  I could get a device to authenticate and pull an ip address fine but when I removed that device and plugged in another device on the same port it would authenticate but not pull an ip address.  I had to put my switches back to 12.2(50)SE3 to get it to work properly.  Cisco had me test all the versions in between until I found one that worked.  I have been testing 12.2(55)SE1 on my 3750X since it released and I have not had that issue anymore on that switch.

View solution in original post

11 Replies 11

Hey,

for the getting of the IP, maybe the dhcp deadtimer is already timed out because of no link DOWN/UP during the reconfiguration.

If not, maybe the state of the port is not "clear" or "good" so try this:

dot1x re-authenticate interface fastethernet0/1

If that works, you can configure the switch to do it automatic every x-sec.


This example shows how to enable periodic re-authentication and set the
number of seconds between re-authentication attempts to 4000:


Switch(config)# dot1x re-authentication
Switch(config)# dot1x timeout re-authperiod 4000

Hope that helps or give some ideas.

regards,
Sebastian


I have tried to manually reauthenticate the port but it still stays in a port up state protocol up state but just will not give out dhcp addresses or network access.

very strange problem

what happends if you shut / no shutdown the port?

If we do a manual shutdown and no shutdown the interface is up, protocol is up and the host still cant get an address.

It looks like the port is completely fine but no dhcp addresses get issued on the port its the strangest thing.

chris_quang
Level 1
Level 1

We had this issue as well and contacted TAC and it ended up being the version of code we were running on the switches.  What version IOS are you running?  I know it was fixed with the latest release.

Chris

This is the version we are running

12.2(55)SE

Your issue was identical to this as well?

Yes it was the same issue on the same version of code 12.2(55)SE.  It was an issue on my 3750's and 3560's.  I could get a device to authenticate and pull an ip address fine but when I removed that device and plugged in another device on the same port it would authenticate but not pull an ip address.  I had to put my switches back to 12.2(50)SE3 to get it to work properly.  Cisco had me test all the versions in between until I found one that worked.  I have been testing 12.2(55)SE1 on my 3750X since it released and I have not had that issue anymore on that switch.

Chris

The way have been simulating the issue is by leaving the host plugged in.

1) Remove all the dot1x commands on the interface

2) Readd the static access vlan commands on the interface

3) Test it (Still no address for host even a manual dhcp renewal)

4) Shut the port down and turn the port back up (Still no address for host even a manual dhcp renewal)

the port doesn't work until you run a reload on the switch....

That sounds pretty similiar to the issues I had.  My port wouldn't work until a reload as well.  I would try updating your IOS first to the latest one.  The TAC engineer did find a bug in that code when we were troubleshooting and I do believe it was related to my issues that are the same or very similar to yours.  Let me know if that resolves your issues.

I will try upgrading the version but the version we are on is pretty much the latest version... i think there is one new version which i upgrade too

Seems the issue does get resolved by updating the firmware from 12.255SE to 12.255SE1

Thanks all

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco