cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

327
Views
10
Helpful
4
Replies
Highlighted
Beginner

Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

Hey all

 

I've run into a strange anomaly when configuring 802.1x authentication on a series of Cisco WS-C2960X-48LPD-L switches. Although I DO have this working and a Cisco ISE correctly authenticating clients (ie. legitimate wired corporate laptops with a valid dot1x certificate), I've also discovered that configuring the switches in this way effectively renders spanning-tree redundant. Am I missing something here in the port configuration? I've tried using various flavours of STP to no avail. Upon looping a switch-port, traffic is forwarded as normal and there's zero attempt by STP to detect the loop. I've tried forcing bpduguard on the ports and globally, but not matter what I do I can't get STP to block a looped port. Switchport and 802.1x configuration is below, if anyone has seen this before and has a solution then please let me know. I can't imagine I'm the only network guy to want 802.1x certificate-based authentication and STP to function on the same network :)

 

Bit of further info - a dig through Cisco’s support site identifies this potentially as Cisco bug CSCtx96491 which is supposed to be resolved by configuring the switches with “authentication open” (effectively bypasses 802.1x, so pretty useless), and “authentication mac-move permit” (which is already configured).

 

aaa group server radius ISE
server name ISE2
server name ISE1
deadtime 15

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE


aaa server radius dynamic-author
client 10.110.x.10 server-key 7 secret
client 10.120.x.10 server-key 7 secret

authentication mac-move permit
dot1x system-auth-control
dot1x critical eapol

 

interface GigabitEthernet1/0/1
description Access Port
switchport access vlan 52
switchport mode access
switchport voice vlan 946
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth

authentication port-control auto
authentication order dot1x
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
auto qos trust
spanning-tree portfast

 

Thanks, Dave

Everyone's tags (4)
4 REPLIES 4
Beginner

Re: Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

That is very strange in my last place we had a similar setup and spanning tree had no issue or at least no one noticed, may be worth upgrading one of the switches to see if it was the bug mentioned in the report.
Beginner

Re: Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

Hi there and thanks for the response. Sorry for the delayed reply, I've been away for a week.

 

I'll give the IOS update a go and see if this cures the STP issues - will report back if so, though there are already reports of the latest MD release of IOS (v15.2.4E7) actually bricking these switches..... worrying!

 

https://software.cisco.com/download/reviews?mdfid=284795754&release=15.2.4E7&softwareId=280805680&ts=POYDVI24CO292U5CRLT1557230112624 

VIP Mentor

Re: Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

thats a nasty bug :(
theres no interim versions required so it shouldn't brick the switch
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_4_e/releasenotes/rn-1524e-2960x-xr.html#pgfId-203213
Beginner

Re: Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

Hi again

I've just upgraded a spare WS-C2960X-48LPD-L switch to the latest (MD) release of IOS (15.2(4)E7) and have been experimenting with various dot1x configurations. The same problem exists sadly.

I'm using two physically looped switchports to test a L2 loop on ports g1/0/33 and g1/0/34 below. The switchport configurations of both ports are as follows :

 

interface GigabitEthernet1/0/33
description Access Port
switchport access vlan 50
switchport mode access
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
auto qos trust
spanning-tree portfast edge

 

With the above configuration, enabling them both results in BPDU guard err-disabling one of the ports :

 

Spare_1(config-if-range)#no shut
May 21 15:55:10: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to down
May 21 15:55:10: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to down
May 21 15:55:11: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet1/0/33 with BPDU Guard enabled. Disabling port.
May 21 15:55:11: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/33, putting Gi1/0/33 in err-disable state

 

However, if I activate 802.1x port authentication by adding the single port-configuration command "authentication port-control auto", the port remains up and forwarding traffic, while eventually seeing an authentication failure from the connected looped-ports  :

 

Spare_1(config-if-range)#no shut
May 21 15:59:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to down
May 21 15:59:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to down
May 21 15:59:22: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to up
May 21 15:59:22: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to up
May 21 15:59:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/33, changed state to up
May 21 15:59:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/34, changed state to up

May 21 16:00:24: %DOT1X-5-FAIL: Authentication failed for client (501c.b006.3aa1) on Interface Gi1/0/34 AuditSessionID 0A146D620000001900399B8D
May 21 16:00:24: %DOT1X-5-FAIL: Authentication failed for client (501c.b006.3aa2) on Interface Gi1/0/33 AuditSessionID 0A146D620000001A00399B90

 

Removing the authentication port-control auto command while both ports are up suddenly brings BPDU-guard back to life and blocks the port again. Similarly, configuring authentication port-control force-authorised also blocks the port. Any ideas? Kinda scratching my head on this one!

Thanks, Dave

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards