dot1x config on switch not working after upgrade

jennyjohn · ‎03-02-2010

I have dot1x configured on my 3560 switch. At the switch port level, dot1X was enabled however it was globally disabled using no dot1x system-auth-control. Users were able to connect without any problem.

Recently I upgraded the IOS on 3560 edge switches from 12.2(46)SE to 12.2(53)SE and all the users were not able to gain access to the
network. Only after i disabled dot1X on individual ports, users regained network connectivity.

In older IOS's, if I was facing some problem with 802.1x, I used to just disable dot1x globally without touching the port level config and users were able to gain network access without any problems. My understanding is that irrespective of port level configuration, if dot1x is disabled globally, then users should not have any problem in connecting to the network.

Is this a bug or is it the way supposed to operate in new IOS?

Ganesh Hariharan · ‎03-02-2010

I have dot1x configured on my 3560 switch. At the switch port level, dot1X was enabled however it was globally disabled using no dot1x system-auth-control. Users were able to connect without any problem.

Recently I upgraded the IOS on 3560 edge switches from 12.2(46)SE to 12.2(53)SE and all the users were not able to gain access to the
network. Only after i disabled dot1X on individual ports, users regained network connectivity.

In older IOS's, if I was facing some problem with 802.1x, I used to just disable dot1x globally without touching the port level config and users were able to gain network access without any problems. My understanding is that irrespective of port level configuration, if dot1x is disabled globally, then users should not have any problem in connecting to the network.

Is this a bug or is it the way supposed to operate in new IOS?

Hi,

Check out the bug id CSCte54884 it will clear your query !!

CSCte54884 Bug Details

3750 switch running 12.2(53)SE ios crashes when enabling Dot1x auth.
Symptom: 3750 switch crashes when enabling dot1x authentication Conditions: when dot1x is enabled Workaround:

Remember to rate the helpful post.

Ganesh.H

jennyjohn · ‎03-02-2010

Thanks Ganesh, but my 3560 switch is not crashing, think that bug is only related to 3750 switches.

Leo Laohoo · ‎03-02-2010

We've temporarily halted our dot1x experiments and testing after I logged a TAC Case. Using the latest IOS, 12.2(53) our switches would crash, magnificently, until we remove the dot1x statement. According to TAC the DE is finalizing the release of the new IOS which will fix the bug.

jennyjohn · ‎03-03-2010

Hi Leolaohoo, is the bug affected on 12.2 (53) SE release for Catalyst 3560 also?

jennyjohn · ‎03-03-2010

Can you verify if this configuration is correct, Thanks

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
authentication mac-move permit
authentication critical recovery delay 500
!
dot1x system-auth-control
dot1x critical eapol
!
interface FastEthernet0/17
switchport access vlan 115
switchport mode access
switchport voice vlan 203
ip arp inspection trust
load-interval 30
authentication event server dead action authorize vlan 115
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
spanning-tree portfast
!
radius-server dead-criteria time 5 tries 3
radius-server host 172.18.130.10 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxx
radius-server host 172.22.130.11 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxx
radius-server deadtime 2
!

jennyjohn · ‎04-10-2010

a bug is already out there, CSCta23340. It says that this is a deliberate design change and the bug is filed as a documentation bug. The summary is:

"If dot1x is disabled globally with the command 'no dot1x system-auth-control', ports that are configured for dot1x do not allow traffic from the client. This is an expected behavior since 12.2(50)SE.

starting from 12.2(50)SE, "authentication port-control auto" controls not only dot1x authentication method but also other methods. Without disabling "authentication port-control auto", the traffic will still not be allowed to pass through even after disabling dot1x globally. The doc should address this change.

Doing 'show auth session int x' states that dot1x is disabled.

If dot1x is disabled on the port ('no authentication port-control') then the client traffic will be allowed through."

So in summary, although you had the ability to disable dotx globally previously, the current design will require it be explicitly disabled on a per port basis.