Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
0
Helpful
4
Replies

Long time to acquire IP after successfull wired 802.1x authentication

rodrigoantunes
Level 1
Level 1

‎08-13-2024 10:11 AM

Hi, I have a 2960x with a port configured for 802.1x authentication.

When I plug the cable and provide the credentials the client is authenticated almost instantly, I can see it in freeradius log.

The problem is that after the successfull authentication the client take around 30s to acquire IP. Is this normal behavior or can I configure this somewhere?

The client is Windows 11.

The relevant configuration on the switch:

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

radius server freeradius
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 6 xxxxx

interface GigabitEthernet1/0/2
switchport access vlan 102
switchport mode access
authentication port-control auto
dot1x pae authenticator

 

 

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎08-13-2024 10:18 AM

Show authc session interface details 

Show mac address table 

Share both output 

MHM

0 Helpful

Flavio Miranda
VIP
VIP

‎08-13-2024 01:44 PM

@rodrigoantunes 

 If the client is authenticated instantly then the 802.1x config is fine.  I would like to see the whole switch config and I have a few question. Where does the DHCP server reside?  If you test with a different machine, does the result is the same?   If you have logs on the DHCP server, can you see DHCP request right after the port authentiation or does the request happens later?

One interesting thing to see here would be a wireshark capture. You could install wireshark on the windows machine, run the test and share the file here for analysis.

0 Helpful

rodrigoantunes
Level 1
Level 1

‎08-14-2024 05:43 AM

Hi everyone,

I’ve identified the issue: it’s related to the spanning tree protocol. I enabled spanning-tree portfast on the interface, and now the host gets its IP address immediately after authentication. However, I have another question: I plan to connect a dumb switch to this port and use multi-auth mode. In this case, enabling portfast might not be ideal since it disables the spanning tree’s loop detection.

Is there a way to keep spanning tree enabled while still allowing hosts to acquire their IP addresses more quickly?

0 Helpful

MHM Cisco World
VIP
VIP
In response to rodrigoantunes

‎08-14-2024 05:59 AM

You can use hub not unmgmt SW, and hence keep portfast 

As I know dot1x not work when connect two SW. 

  • MHM
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card