Problem recieving IP address after AAA authentication

MED Amine MB · ‎12-22-2025

Hello ,

I'm facing an odd problem with the switch Cisco C1300 when authenticating with Fortinac.

When authenticating a printer (Static IP) or a Huawei AP (DHCP), the Fortinac puts the device on the correct VLAN. The switch receives and recognizes the VLAN, but the device stays unreachable (for both static and DHCP). Other devices like IP phones and PCs work fine.

Here is the config on the switch and some info :

sw-exploitation-rad#sh run int gi1/0/5
interface GigabitEthernet1/0/5
dot1x host-mode multi-sessions
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
switchport mode trunk
green-ethernet energy-detect
voice vlan enable
voice vlan cos mode all
!
sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#sh mac address-table interface gi1/0/5
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
18 bc:3f:8f:c6:X:X gi1/0/5 dynamic

sw-exploitation-rad#
sw-exploitation-rad#
sw-exploitation-rad#sh dot1x sessions interface gi1/0/5

Interface Mac Address Method Status Session ID
----------- ------------------ -------- -------- ------------------------
gi1/0/5 bc:3f:8f:c6:X:X MAC Auth 1D01A8C0050000712418A780

sw-exploitation-rad#sh dot1x sessions interface gi1/0/5 detailed

Interface: gi1/0/5
MAC Address: bc:3f:8f:c6:X:X
IPv4 Address: unknown
User-Name: bc:3f:8f:c6:X:X
Status: Authorized
Oper host mode: multi-session
Session timeout: N/A
Session Uptime: 1957 sec
Common Session ID: 1D01A8C0050000712418A780
Acct Session ID: 0x05000071

Method status list:
Method State
MAC Authentication success
sw-exploitation-rad#sh lldp neighbors gi1/0/5

sw-exploitation-rad#sh version
Active-image: flash://system/images/image_c1300_4.1.7.24_official_key.bin
Version: 4.1.7.24
MD5 Digest: fac373003a28d93a9c90fa9f3157cdb2
Date: 27-Aug-2025
Time: 13:11:30
Inactive-image: flash://system/images/image_4.1.3.36.bin
Version: 4.1.3.36
MD5 Digest: 90803a985c9110cef9aa4d576206b629
Date: 19-May-2024
Time: 08:17:26
sw-exploitation-rad#sh inventory

NAME: "1" DESCR: "Catalyst 1300 Series Managed Switch, 48-port GE, Full PoE, 4x10G SFP+ (C1300-48FP-4X)"

Please advise .

Regards ,

Med Amine Mbarek ,

Richard Burts · ‎12-22-2025

The first thing that I notice is this "IPv4 Address: unknown". So I looked at the interface config. I do not see any indication that you are assigning an IP address in the config, and I do not see any indication of DHCP. So how is the device getting an IP address?

HTH

Rick

MED Amine MB · ‎12-22-2025

Hello ,

The device is getting the VLAN from FortiNac and its configured to look for DHCP server . There is no need to mention DHCP on the Interface .

Regards ,

HaiCa · ‎12-22-2025

Hi,

There's setting on Cisco ISE call "CoA port bounce" that I believed can solve your problem. This cause the link flap then end device will sending DHCP discovery again.

I don't know if FortiNAC support something like that in your setup. This is some site I found:

Hope this can help.

Thanks!

paul driver · ‎12-23-2025

Hello
authorized -ip address unknown

Please check
is this vlan allowed for dhcp-
Is the dhcp server reachable from that vlan
does it require relay ?
do you have any snooping applied or is the port missing portfast ?
All the above could negate dhcp allocation

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MED Amine MB · ‎12-23-2025

Hello ,

is this vlan allowed for dhcp : Yes

do you have any snooping applied or is the port missing portfast : No snooping applied and Yes portfast is applied .

Also if we remove authentication on our switch c1300 or connect the AP to another switch with authentication the AP works fine .

Regards ,

paul driver · ‎12-23-2025

Hello
so as a test use a different host than the one attached and see if that obtains dhcp allocation - or statically defined an ip address associated with that vlan and see the host has reachability

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cristian Matei · ‎12-23-2025

Hi,

Devices that work, IP Phones and PC's, are configured statically or via DHCP? If you remove 802.1x configuration from the ports where not working devices are connected, does the device with static IPv4 address have network access and does the device with DHCP assigned IPv4 address get an IPv4 address and get network access?

Additionally, can you paste the output of the following commands, for all port types (device with static IP working, device with DHCP IP working, device with static IP NOT working, device with DHCP IP NOT working): "show spanning-tree interface IF_ID", "show authentication sessions interface IF_ID details". Also, the output of "show device-tracking policies"?

Thanks,

Cristian.

pieterh · ‎12-23-2025

I have concern about this combination of commands
spanning-tree portfast
switchport mode trunk

portfast works on access ports ! -> unless the radius attributs also set the port mode to access, I do not think portfast is enabled.
(on trunks uplinkfast is available)

aslo if the port is set to mode trunk, it might be the device is allowed to process tagged packets for the assigned/authorized vlan
(e.g. wireless clients on an AP assigned to different vlans)
if the device sends untagged packets, these end up in the wrong vlan (the native vlan )
for Cisco AP's commonly the native vlan is set for DHCP assignment to the AP
-> check the devices documentation (printer, AP)