problem with 802.1x in Catalyst 3750

Unanswered Question

Hi

I am configuring 802.1x in the Lan network of my customer. My customer has switches 2960 and 3750 and cisco ip phone. I have problem with switches 3750 ,the ip phone cannot connect to Callmanager but when I connect the ip phone in any port of switch 2960 i have not problem. The configuration in 3750 and 2960 are the same. The version of IOS in all switches is c3750-ipbasek9-mz.122-25.SEE4

The configuration in the ports is:

interface FastEthernet X

switchport mode access

switchport voice vlan 125

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x guest-vlan 13

dot1x auth-fail vlan 13

spanning-tree portfast

Thanks for your help.

Jorge

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 11/13/2008 - 01:32

Hello Jorge,

I would try

int fas X

dot1x host-mode multi-host

and

switch# dot1x re-authenticate interface fas X

Have you tried with a PC connected to the ip phone with 8021.X client SW ?

Does the behaviour change ?

Hope to help

Giuseppe

andrew.butterworth Thu, 11/13/2008 - 02:10

Hi Jorge, I have just looked at a working 802.1x config from a 3560-POE I have (not exactly the same I know) where I have some Cisco IP Phones and its almost the same as yours:

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport voice vlan 500

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x timeout reauth-period server

dot1x reauthentication

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

ip dhcp snooping limit rate 100

In theory a 3750 & a 2960 (assuming the same IOS revision) should have the same behaviour since they are both based on a similar platform.

Previously you needed to have three MAC addresses configured for port-security to work with an IP Phone and a PC since the IP Phone initially appears on the access VLAN. However I know there was a feature change (around IOS 12.2(37)SE) where as soon as CDP kicked in from the IP Phone the switch removed it's MAC from the access VLAN so you can have a maximum of two MACs configured. You are running older software so you will need the three MAC maximum.

I would suggest the first thing to try would be upgrading the IOS to the latest IOS release which is 12.2(46)SE.

Andy

Actions

This Discussion