06-06-2015 06:43 PM - edited 03-08-2019 12:26 AM
Hello,
I recently created a network policy server(windows based) to deploy the 802.1x port based authentication. the switches(2960x) configuration was performed to point to the radius server and the dot1x applied per port. The group policy was applied successfully on all pcs. Since then a lot of amber leds appeared on the switch, All ports are connected to cisco phones type 7821 and 7942.however all phones are registered to the CME and all pcs are able to communicate and access the internet. a " sh int status" shows all port connected.
any clues about the amber lights?
06-06-2015 07:32 PM
Hello,
Does the port show authenticated successful?
show authentication session interface gx/x
If you remove the authentication config, does the led change to green?
06-06-2015 07:49 PM
hello charles,
i wont be able to check the leds before monday, its the weekend! i will revert back to you on monday.
concerning the authentication, will the pc have a network access if the authentication was unsuccessful?
06-06-2015 07:56 PM
Normally no, but I'm wondering if its a bug.
There is a bug related to amber led on a 2960S(I know your switch is a 2960X) and you may be running into a similar bug.
06-08-2015 08:37 AM
Hello again,
the led turned to green after removing the authentication from the corresponding port. All pcs are working fine even with amber leds except for some that were authenticated once and now cannot communicate on the network unless I remove the port authentication. It is a bit strange to have such issues, no?
06-08-2015 08:30 PM
Well, it's pretty certain that it is related to the dot1x, if you remove the dot1x and the led turns green.
Which mode is selected on the switch when the port led is amber?
Stat - Duplex - Speed - Poe?
What is the output if you do a "show authentication session interface gx/x" for a port that is currently amber?
Do a show run and a show interface on a port that is amber and paste the out put, please.
Thanks.
06-11-2015 05:06 PM
the stat mode was selected. i issued a show auth session and everything was normal:
sh auth sess in gi 1/0/7
Interface: GigabitEthernet1/0/7
MAC Address: d4be.d98a.d314
IP Address: Unknown
Status: Running
Domain: UNKNOWN ???????
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1C8F17000004CF3F8CE547
Acct Session ID: 0x00000464
Handle: 0x330004D0
Runnable methods list:
Method State
dot1x Running
the sh run
interface GigabitEthernet1/0/7
description -----To End User-----
switchport access vlan 131
switchport mode access
switchport voice vlan 228
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
end
06-11-2015 06:15 PM
I'm not seeing a successful authentication or ip address.
The connected pc has access to the network? Ip address?
I would start by looking in the logs of the radius server or what ever is doing your authenticating, for the mac address or ip address of the connected pc(amber light) for any clues.
run a debug dot1x & debug authentication on the switch and do a shut and no shut on the port.
What is the switch model and IOS?
06-18-2015 09:29 AM
hello Charles,
sorry for replying late. I think I know what is the cause of the amber led. I noticed that the ports to which only a cisco phone is connected, or a cisco phone with a pc in sleep mode, are the ports showing a flashing amber led on the switch. the authentication sessions show unknown fields. once the pc wakes up again, the output shows authorization success.
any comments regarding that? is it a normal behavior or a bug?
06-18-2015 10:08 AM
Take a look at the 802.1x design document for ip telephony. This should help.
In our environment, we are using dot1x and mab to authenticate the pc and phone.
Hope this helps.
05-06-2020 12:03 AM
Sorry for resurrecting this old thread.
I'm having exactly the same issue.
Did you ever get rid of the amber LED or are you living with it?
Some outputs:
2924XP-1012-4#show authentication sessions int g1/0/2 Interface Identifier Method Domain Status Fg Session ID ----------------------------------------------------------------------------- Gi1/0/2 5486.bcae.34ad mab VOICE Auth C0A8005F000000CC9039E37D Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker Runnable methods list: Handle Priority Name 8 0 dot1xSupp 7 5 dot1x 19 10 mab 17 15 webauth 2924XP-1012-4#sho int g1/0/2 GigabitEthernet1/0/2 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 700b.4ff1.2982 (bia 700b.4ff1.2982) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:19, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 187000 bits/sec, 19 packets/sec 190234 packets input, 33041387 bytes, 0 no buffer Received 22972 broadcasts (15829 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 15829 multicast, 0 pause input 0 input packets with dribble condition detected 1239927 packets output, 547882684 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out *************** here the PC was removed, the LED switched from green to amber*********** 2924XP-1012-4#show authentication sessions int g1/0/2 Interface Identifier Method Domain Status Fg Session ID ----------------------------------------------------------------------------- Gi1/0/2 5486.bcae.34ad mab VOICE Auth C0A8005F000000CC9039E37D Key to Session Events Blocked Status Flags: A - Applying Policy (multi-line status for details) D - Awaiting Deletion F - Final Removal in progress I - Awaiting IIF ID allocation N - Waiting for AAA to come up P - Pushed Session R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker Runnable methods list: Handle Priority Name 8 0 dot1xSupp 7 5 dot1x 19 10 mab 17 15 webauth 2924XP-1012-4#sho ver ..... Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 30 WS-C2960X-24PD-L 15.2(7)E0a C2960X-UNIVERSALK9-M
09-17-2020 09:14 PM
Yes, this is what happening in my customer site.
The point that it goes amber light is triggered by the spanning tree "block" the access vlan of the switch port when there is no PC connecting at the back of the IP phone. However, voice vlan of the switch port works normally with no problem in MAB authc and authz, no matter a PC plug in or not at the back of the IP phone.
Of course customer side is not satisfy when they see amber light displayed on the switch port, so I'm wondering if Cisco will address this issue as amber light in this case is a misleading signal of something goes wrong? Thank you.
02-10-2021 12:35 AM
I have this same issue... Is Cisco planning to fix this bug?
04-01-2021 08:50 AM
also having same issue with C9300 series switches. Any luck at finding a solution?
08-19-2021 04:47 AM
Same issue following topic for a resolution. Seeing it on all platforms 36,38, and 93xx running 16.6.9.
Any resolution?
-CC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide