- Gold, 750 points or more
This all worked prior to upgrading to the latest 12.2(50)SE IOS on Catalyst 3560's :o(
I have the following access port configuration:
switchport access vlan 10
switchport mode access
switchport voice vlan 15
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security aging time 3
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
authentication event fail retry 3 action authorize vlan 99
authentication event server dead action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication port-control auto
authentication timer restart 30
authentication timer reauthenticate server
no snmp trap link-status
dot1x pae authenticator
service-policy input IPPHONE+PC-BASIC
ip dhcp snooping limit rate 100
The previous 'dot1x' commands have been replaced with the 'authentication' commands but in theory should work the same as I checked in the latest documentation.
The scenario I have is Cisco IP Phones (7960, 7940 & 7970's all with the very latest firmware) in hot-desk areas each with a LAN cable available. The idea being a guest or an employee can connect their laptop. Authorised PC's (Domain Members) should be able to connect, authenticate via dot1x (machine or user authentication) and be placed into the access VLAN (10). Guests or messed-up PC's should be placed into the Guest or Auth-Fail VLAN (99). ACLs on the Guest VLAN SVI allows restrictive access.
With previous software releases this worked fine but now the port is placed in the Guest VLAN and never transitions to the access VLAN when a valid client is attached. If the port is manually reauthenticated (dot1x re-authenticate interface fastethernet0/1) or a PC is already connected to the IP Phone and the port is disconnected/connected from the switchport then it works. The phones are permanently connected, but the laptops aren't. There have been no changes to the clients, just the IOS. The clients are XP SP3 and Vista SP1 and get the Wired dot1x settings from a GPO.
It may be 12.2(50)SE needs some addition configuration? Does anyone have a similar setup that is working with 12.2(50)SE on 3560/3750s?