Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
0
Helpful
2
Replies

dot1x thin client problem

Muhammed AKYUZ
Level 1
Level 1

‎12-28-2007 02:05 PM - edited ‎03-05-2019 08:12 PM

Hi

we are using dot1x with winxp installed PCs. and all working good. But we have also thin clients that you can not run dot1x so we have to use mac auth for thin clients. Thin Clients boots from network. So the problem is we can not get mac address from thin clients. debug is below:

5w3d: dot1x-ev:Host access is 1 on port FastEthernet0/47

5w3d: dot1x-ev:Succeeded in setting host access to denyon FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/47

5w3d: dot1x-ev:dot1x_vlan_assign_client_deleted on interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/47

5w3d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/47 has changed to UP

5w3d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

5w3d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

5w3d: dot1x-ev:Created a default authenticator instance on FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:Received an EAP Timeout on FastEthernet0/47 for mac 0000.0000.0000

5w3d: dot1x-ev:Host access is 2 on port FastEthernet0/47

5w3d: dot1x-ev:Changed host access to ask on FastEthernet0/47

5w3d: dot1x-ev:dot1x_pm_mab_get_mac: set dot1x ask handler on interface FastEthernet0/47

also config:

switchport mode access

switchport port-security maximum 3

switchport port-security violation protect

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 1

dot1x timeout tx-period 5

dot1x max-req 1

storm-control broadcast level bps 1m

storm-control multicast level bps 1m

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

!

Labels:
0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎01-03-2008 02:07 PM

You can manually assign mac address in your switch port through switchport port-security mac-address mac-address command.

0 Helpful

Muhammed AKYUZ
Level 1
Level 1
In response to aghaznavi

‎01-03-2008 10:57 PM

I know that solution but we have more than 3000 clients. I want general solution.

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card