cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1530
Views
10
Helpful
5
Replies

Wired Certificate-based 802.1x authentication on C2960X is disabling STP?!

djhopps
Level 1
Level 1

Hey all

 

I've run into a strange anomaly when configuring 802.1x authentication on a series of Cisco WS-C2960X-48LPD-L switches. Although I DO have this working and a Cisco ISE correctly authenticating clients (ie. legitimate wired corporate laptops with a valid dot1x certificate), I've also discovered that configuring the switches in this way effectively renders spanning-tree redundant. Am I missing something here in the port configuration? I've tried using various flavours of STP to no avail. Upon looping a switch-port, traffic is forwarded as normal and there's zero attempt by STP to detect the loop. I've tried forcing bpduguard on the ports and globally, but not matter what I do I can't get STP to block a looped port. Switchport and 802.1x configuration is below, if anyone has seen this before and has a solution then please let me know. I can't imagine I'm the only network guy to want 802.1x certificate-based authentication and STP to function on the same network :)

 

Bit of further info - a dig through Cisco’s support site identifies this potentially as Cisco bug CSCtx96491 which is supposed to be resolved by configuring the switches with “authentication open” (effectively bypasses 802.1x, so pretty useless), and “authentication mac-move permit” (which is already configured).

 

aaa group server radius ISE
server name ISE2
server name ISE1
deadtime 15

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE


aaa server radius dynamic-author
client 10.110.x.10 server-key 7 secret
client 10.120.x.10 server-key 7 secret

authentication mac-move permit
dot1x system-auth-control
dot1x critical eapol

 

interface GigabitEthernet1/0/1
description Access Port
switchport access vlan 52
switchport mode access
switchport voice vlan 946
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth

authentication port-control auto
authentication order dot1x
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
auto qos trust
spanning-tree portfast

 

Thanks, Dave

5 Replies 5

shaps
Level 3
Level 3
That is very strange in my last place we had a similar setup and spanning tree had no issue or at least no one noticed, may be worth upgrading one of the switches to see if it was the bug mentioned in the report.

Hi there and thanks for the response. Sorry for the delayed reply, I've been away for a week.

 

I'll give the IOS update a go and see if this cures the STP issues - will report back if so, though there are already reports of the latest MD release of IOS (v15.2.4E7) actually bricking these switches..... worrying!

 

https://software.cisco.com/download/reviews?mdfid=284795754&release=15.2.4E7&softwareId=280805680&ts=POYDVI24CO292U5CRLT1557230112624 

thats a nasty bug :(
theres no interim versions required so it shouldn't brick the switch
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_4_e/releasenotes/rn-1524e-2960x-xr.html#pgfId-203213

Hi again

I've just upgraded a spare WS-C2960X-48LPD-L switch to the latest (MD) release of IOS (15.2(4)E7) and have been experimenting with various dot1x configurations. The same problem exists sadly.

I'm using two physically looped switchports to test a L2 loop on ports g1/0/33 and g1/0/34 below. The switchport configurations of both ports are as follows :

 

interface GigabitEthernet1/0/33
description Access Port
switchport access vlan 50
switchport mode access
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
auto qos trust
spanning-tree portfast edge

 

With the above configuration, enabling them both results in BPDU guard err-disabling one of the ports :

 

Spare_1(config-if-range)#no shut
May 21 15:55:10: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to down
May 21 15:55:10: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to down
May 21 15:55:11: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet1/0/33 with BPDU Guard enabled. Disabling port.
May 21 15:55:11: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/33, putting Gi1/0/33 in err-disable state

 

However, if I activate 802.1x port authentication by adding the single port-configuration command "authentication port-control auto", the port remains up and forwarding traffic, while eventually seeing an authentication failure from the connected looped-ports  :

 

Spare_1(config-if-range)#no shut
May 21 15:59:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to down
May 21 15:59:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to down
May 21 15:59:22: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/33, changed state to up
May 21 15:59:22: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/34, changed state to up
May 21 15:59:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/33, changed state to up
May 21 15:59:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/34, changed state to up

May 21 16:00:24: %DOT1X-5-FAIL: Authentication failed for client (501c.b006.3aa1) on Interface Gi1/0/34 AuditSessionID 0A146D620000001900399B8D
May 21 16:00:24: %DOT1X-5-FAIL: Authentication failed for client (501c.b006.3aa2) on Interface Gi1/0/33 AuditSessionID 0A146D620000001A00399B90

 

Removing the authentication port-control auto command while both ports are up suddenly brings BPDU-guard back to life and blocks the port again. Similarly, configuring authentication port-control force-authorised also blocks the port. Any ideas? Kinda scratching my head on this one!

Thanks, Dave

 

Hey Dave, its an old post, not sure if the issue is resolved for you or not. I have also faced the same issue with one of my customer's Cat 2960 switch. I have seen that, with authentication port-control auto it works if the you add mab config to the port also. In that case he BPDU guard will err-disable the port in case of a loop.

 

But with only dot1x configured on the port, it is not being blocked by STP. Infact STP is not even being performed while there is only dot1x configured. I am still looking for answer to this.

 

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: