LWeight AP not starting MAB on DOT1X interface

Unanswered Question
Sep 13th, 2007

Trying to authenticate a Wireless 1242 AP to a switch port with Dot1x enabled. It seems like the switch can't get the mac or doesn't ever start authentication for the port when I plug in an ap.

The ap is configured to pull dhcp on start for fa 0, however never gets an address, even though the port should fail into guest network after auth fails.

Any thoughts,, a debug only shows this...

*Mar 1 00:19:27.127: %IF-3-VLAN_NOT_CONFIGURED: Received dot1Q VLAN tagged pack

et on interface which does not have VLAN configured.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Wed, 09/19/2007 - 10:33

In the case client, for MAC authentication to work, disable the client in order to send an EAP request, so that switch can consider it as agentless host, and initiates the MAC authentication bypass process. This is the registry fix on test machine:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"SupplicantMode"=dword:00000000

For more information please click following URL

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/sw8021x.html

And also Ensure that the Cisco Centralized Key Management (CCKM) is not enabled on WLC/AP in order to resolve this issue. It has been observed that with CCKM currently enabled.

Jacob-Harris Wed, 09/19/2007 - 10:59

Thanks for the reply, however my problem isn't with authenticating a MS host. The AP is my problem. I am able to get the AP to authenticate itself to the switch via MAB if I shut down CDP on the interface its connecting to, I've also observed this on an ATA186, shutting down CDP on the ATA also fixes the DOT1X issue. Had to set opflag to 0x6A. However I really would rather not shut off CDP I like CDP's features, and its kinda a pain not to have it in some cases. Any thoughts?

Bilal Nawaz Sun, 02/24/2013 - 05:23

Hello Jacob,

We have the same problem as you described with ATA's. We recently upgraded our WLC's and AP's too. And now some of the AP's are behaving like the ATA's or the switch is placing them into the voice vlan, with no MAB dot1x auth taking place.

Removing CDP fixes this, or removing the switchport voice vlan command will also fix this.

Did you manage to resolve this problem?

Actions

This Discussion