dot1x multi domain authent issue

Unanswered Question
Jun 15th, 2008

hi , i'm installing ipphone on 3560 with 802.1x authentication and host mode multi-domain ,all works fine for ipphone but PC behind ipphone can't

receive an ip address via dhcp although dot1x guest vlan data is configured, is supplicant and 802.1x authentication mandatory on pc as on ipphone or can i have only authentication on ipphone and none on PC ?

is there some issue known for that situation ?

how long is a mac addres locked if dot1x authen failed ? is that timer configurable ? is the mac address locked for the port or for all switch port ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Sun, 06/15/2008 - 17:57

Is your PC 802.1X enabled? If so, is it enabled to send EAPOL-Start frames?

a.diot Mon, 06/16/2008 - 10:52

hi Jafrazie ,

No , authent isn't enabled on windows PC and i noticed that behavor with XP and 2000 stations,

i have to unplug the ipphone in order to have the pc working , dhcp release or renew doesn't work (no network) then pc ip address is 169...

i will try to take some trace to confirm that the pc is not sending some eap frames

jafrazie Mon, 06/16/2008 - 10:56

The jist of this is, with MDA configured, it will never allow access to anything, unless it sees a client on the wire. Whever you plug it in, it will try to authenticate the device with 802.1X. If 802.1X times out, then fallback options like MAB, the Guest-VLAN come into play.

Can you cut-n-paste your current port-config?

Largely, you should be seeing the same thing with MDA that you'd see when you plug directly into the switch to begin with. Beware that 802.1X takes 90-sec to timeout by default. This could be the issue you're facing here.

HTH a little in the meantime,


This Discussion