Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2799
Views
0
Helpful
3
Replies

802.1x on 2960 cluster switch

chitre_salil
Level 1
Level 1

‎12-02-2009 06:28 PM - edited ‎03-06-2019 08:48 AM

Hi,

I am trying to get 802.1x port based authentication working on a cluster switch member. All the switches are 2960 series veriosn 12.2 (44) SE2. Only the cluster commander has an IP set and that is configured on the radius server (Windows 2008 NPS) as a client.

I have the following configuration on all the cluster switches

aaa new-model
aaa authentication dot1x default group radiusx

radius-server host 172.19.x.xx auth-port 1645 acct-port 1646
radius-server key xxxxx

The switch port that I am testing has the following config

interface fa0/15
switchport mode access
dot1x port-control auto
no shut

I cant see anything in the logs on the cluster member. The radius server has no requests in its log either. Anyone has any clues?

Regadrs,

Salil

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎12-03-2009 11:18 PM

Hi ,

Try configuring 802.1x as per the link

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00808066ba.shtml#switch

hope this will you to over come the issue

Regards

Ganesh.H

0 Helpful

chitre_salil
Level 1
Level 1
In response to Ganesh Hariharan

‎12-04-2009 04:59 PM

Hi Ganesh,

Thanks for the link. The configuration I am using works perfect if I use it on a standalone switch. It proves that my Switch config, radius server config and client config is working. Its only when I try to use the same switch config on a switch cluster that I cant get it to work. I have tried giving the cluster member its own IP address so that it can communicate with the radius server directly but it did not help.

On the client I can see the EAPOL start message generated. I dont see the switch querying the client for authentication details. The switch simply enables the port. The switch port config is

interface FastEthernet0/15
switchport access vlan xxx
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
spanning-tree bpduguard enable

I am not sure if there is anything else required to get this working in a switch cluster.

Regards,

Salil

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to chitre_salil

‎12-04-2009 11:03 PM

Try to configure cluster ip and static ip of the switch in acs aaa client tab then see what happens.

Regards

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card