08-13-2024 10:11 AM
Hi, I have a 2960x with a port configured for 802.1x authentication.
When I plug the cable and provide the credentials the client is authenticated almost instantly, I can see it in freeradius log.
The problem is that after the successfull authentication the client take around 30s to acquire IP. Is this normal behavior or can I configure this somewhere?
The client is Windows 11.
The relevant configuration on the switch:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius server freeradius
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 6 xxxxx
interface GigabitEthernet1/0/2
switchport access vlan 102
switchport mode access
authentication port-control auto
dot1x pae authenticator
08-13-2024 10:18 AM
Show authc session interface details
Show mac address table
Share both output
MHM
08-13-2024 01:44 PM
If the client is authenticated instantly then the 802.1x config is fine. I would like to see the whole switch config and I have a few question. Where does the DHCP server reside? If you test with a different machine, does the result is the same? If you have logs on the DHCP server, can you see DHCP request right after the port authentiation or does the request happens later?
One interesting thing to see here would be a wireshark capture. You could install wireshark on the windows machine, run the test and share the file here for analysis.
08-14-2024 05:43 AM
Hi everyone,
I’ve identified the issue: it’s related to the spanning tree protocol. I enabled spanning-tree portfast on the interface, and now the host gets its IP address immediately after authentication. However, I have another question: I plan to connect a dumb switch to this port and use multi-auth mode. In this case, enabling portfast might not be ideal since it disables the spanning tree’s loop detection.
Is there a way to keep spanning tree enabled while still allowing hosts to acquire their IP addresses more quickly?
08-14-2024 05:59 AM
You can use hub not unmgmt SW, and hence keep portfast
As I know dot1x not work when connect two SW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide