hello charles,

i wont be able to check the leds before monday, its the weekend! i will revert back to you on monday.

concerning the authentication, will the pc have a network access if the authentication was unsuccessful?

Normally no, but I'm wondering if its a bug.

There is a bug related to amber led on a 2960S(I know your switch is a 2960X) and you may be running into a similar bug. 

Hello again,

the led turned to green after removing the authentication from the corresponding port. All pcs are working fine even with amber leds except for some that were authenticated once and now cannot communicate on the network unless I remove the port authentication.  It is a bit strange to have such issues, no?

Well, it's pretty certain that it is related to the dot1x, if you remove the dot1x and the led turns green.

Which mode is selected on the switch when the port led is amber?

Stat - Duplex - Speed - Poe?

What is the output if you do a "show authentication session interface gx/x" for a port that is currently amber?

Do a show run and a show interface on a port that is amber and paste the out put, please.

Thanks.

the stat mode was selected. i issued a show auth session and everything was normal:

sh auth sess in gi 1/0/7
            Interface:  GigabitEthernet1/0/7
          MAC Address:  d4be.d98a.d314
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN ???????
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC1C8F17000004CF3F8CE547
      Acct Session ID:  0x00000464
               Handle:  0x330004D0

Runnable methods list:
       Method   State
       dot1x    Running

the sh run

interface GigabitEthernet1/0/7
 description -----To End User-----
 switchport access vlan 131
 switchport mode access
 switchport voice vlan 228
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
end
 

I'm not seeing a successful authentication or ip address. 

The connected pc has access to the network?  Ip address?

I would start by looking in the logs of the radius server or what ever is doing your authenticating, for the mac address or ip address of the connected pc(amber light) for any clues.

run a debug dot1x & debug authentication on the switch and do a shut and no shut on the port. 

What is the switch model and IOS?

hello Charles,

sorry for replying late. I think I know what is the cause of the amber led. I noticed that the ports to which only a cisco phone is connected, or a cisco phone with a pc in sleep mode, are the ports showing a flashing amber led on the switch. the authentication sessions show  unknown fields. once the pc wakes up again, the output shows authorization success.

any comments regarding that? is it a normal behavior or a bug?

Take a look at the 802.1x design document for ip telephony.  This should help.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

In our environment, we are using dot1x and mab to authenticate the pc and phone.

Hope this helps.

Sorry for resurrecting this old thread.
I'm having exactly the same issue.

Did you ever get rid of the amber LED or are you living with it?

Some outputs:

2924XP-1012-4#show authentication sessions int g1/0/2

Interface    Identifier     Method  Domain  Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/2      5486.bcae.34ad mab     VOICE   Auth      C0A8005F000000CC9039E37D


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle  Priority  Name
    8        0      dot1xSupp
    7        5      dot1x
    19       10     mab
    17       15     webauth

2924XP-1012-4#sho int g1/0/2
GigabitEthernet1/0/2 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is 700b.4ff1.2982 (bia 700b.4ff1.2982)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:19, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 187000 bits/sec, 19 packets/sec
     190234 packets input, 33041387 bytes, 0 no buffer
     Received 22972 broadcasts (15829 multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 15829 multicast, 0 pause input
     0 input packets with dribble condition detected
     1239927 packets output, 547882684 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

*************** here the PC was removed, the LED switched from green to amber***********
2924XP-1012-4#show authentication sessions int g1/0/2

Interface    Identifier     Method  Domain  Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/2      5486.bcae.34ad mab     VOICE   Auth      C0A8005F000000CC9039E37D


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle  Priority  Name
    8        0      dot1xSupp
    7        5      dot1x
    19       10     mab
    17       15     webauth

2924XP-1012-4#sho ver
.....
Switch Ports Model                     SW Version            SW Image                 
------ ----- -----                     ----------            ----------               
*    1 30    WS-C2960X-24PD-L          15.2(7)E0a            C2960X-UNIVERSALK9-M     

Yes, this is what happening in my customer site.

The point that it goes amber light is triggered by the spanning tree "block" the access vlan of the switch port when there is no PC connecting at the back of the IP phone. However, voice vlan of the switch port works normally with no problem in MAB authc and authz, no matter a PC plug in or not at the back of the IP phone.

Of course customer side is not satisfy when they see amber light displayed on the switch port, so I'm wondering if Cisco will address this issue as amber light in this case is a misleading signal of something goes wrong? Thank you.

I have this same issue... Is Cisco planning to fix this bug?

also having same issue with C9300 series switches. Any luck at finding a solution?