Wired 802.1x All phones authenticate all at once

TOM FRANCHINA · ‎12-02-2018

Running wired 802.1x on a 3850 ver 16.3.6. We made a configuration change which caused all the phones to re-authenticate. This caused the switch stack to run at 100% CPU. All users were down... 5 to stack 200 users.

We finally got the switch stack to run by removing the ISE server address in the configuration.

We are concerned that we will see this same issue if any switch stack reboots and all the phones try to associate at the same time.

Is there a setting that prevents all the devices on a switch from authenticating all at the same time.

Here is our global and switchport config and uploaded total config

interface GigabitEthernet1/0/1
description NAC Dan W PC / Phone (Access Mode)
switchport access vlan 44
switchport mode access
switchport nonegotiate
switchport voice vlan 244
ip arp inspection limit rate 50
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout server-timeout 2
dot1x timeout tx-period 1
dot1x timeout supp-timeout 2
dot1x max-reauth-req 1
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 50
end

aaa group server radius ise-group
server name bgh-ise-psn-01
server name wmh-ise-psn-01
!
aaa authentication dot1x default group ise-group
aaa authorization exec vty local
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa accounting update periodic 2880
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting system default start-stop group ise-group

device-sensor filter-list lldp list TLV-LLDP
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list dhcp list TLV-DHCP
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list TLV-DHCP
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes

Zaaf Aba · ‎12-03-2018

Hi

AFAIK there is no way to queue the 802.1x authentication. If you enable 802.1x authentication on every port of the switch then all the ports will try to authenticate the phones (supplicant) connected to ports which are UP at the same time.

One way could be to enable 802.1x on each port individually. Copy the config template in the notepad and paste it under each interface config one by one.

You haven't mentioned if you are using MAC authentication, individually configured username/password on each phone to be authenticated against radius server or your radius server has Ldap/NPS connection to the Active directory?

Regards

Zaaf

TOM FRANCHINA · ‎12-03-2018

Zaaf,

We use MAB for phones and other none domain devices. Ldap lookup for domain PCs

Thanks,

Tom