cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
778
Views
0
Helpful
4
Replies

problem with 802.1x in Catalyst 3750

jmoreno
Level 1
Level 1

Hi

I am configuring 802.1x in the Lan network of my customer. My customer has switches 2960 and 3750 and cisco ip phone. I have problem with switches 3750 ,the ip phone cannot connect to Callmanager but when I connect the ip phone in any port of switch 2960 i have not problem. The configuration in 3750 and 2960 are the same. The version of IOS in all switches is c3750-ipbasek9-mz.122-25.SEE4

The configuration in the ports is:

interface FastEthernet X

switchport mode access

switchport voice vlan 125

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x guest-vlan 13

dot1x auth-fail vlan 13

spanning-tree portfast

Thanks for your help.

Jorge

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jorge,

I would try

int fas X

dot1x host-mode multi-host

and

switch# dot1x re-authenticate interface fas X

Have you tried with a PC connected to the ip phone with 8021.X client SW ?

Does the behaviour change ?

Hope to help

Giuseppe

Hi Giuseppe

I will try this configuration but the configuration is working well in the switches 2960. why have fail in the switches 3750?. Only the switches 3750 has the problem.

Hi Jorge, I have just looked at a working 802.1x config from a 3560-POE I have (not exactly the same I know) where I have some Cisco IP Phones and its almost the same as yours:

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport voice vlan 500

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x timeout reauth-period server

dot1x reauthentication

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

ip dhcp snooping limit rate 100

In theory a 3750 & a 2960 (assuming the same IOS revision) should have the same behaviour since they are both based on a similar platform.

Previously you needed to have three MAC addresses configured for port-security to work with an IP Phone and a PC since the IP Phone initially appears on the access VLAN. However I know there was a feature change (around IOS 12.2(37)SE) where as soon as CDP kicked in from the IP Phone the switch removed it's MAC from the access VLAN so you can have a maximum of two MACs configured. You are running older software so you will need the three MAC maximum.

I would suggest the first thing to try would be upgrading the IOS to the latest IOS release which is 12.2(46)SE.

Andy

Hi andrew

All switches have the version 12.2(46)SE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: