802.1x problems with Cat4510E-Sup6L, IOS 12.2.54

Unanswered Question
Aug 5th, 2010
User Badges:

Hi, all.


I have a very strange problem when turning on 802.1x/MAB on Cisco IOS 12.2.54 running on Cat45xx switches.

Here is a config sample of a port:



interface GigabitEthernet9/48
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
no logging event link-status
load-interval 60
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
flowcontrol receive off
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast    


Cisco ACS 5.1 is running as an radius/tacacs appliance in the network.


Since we have many non-certificate-capable devices, MAB is used first to authenticate these devices, for many

devices the radius server sends down a specific vlan id for that port.


All of this works fine !!!!


Now for the problem:


Some devices authenticate fine with mab, but after a few minutes these devices stop responding to the network,

pings are not answered anymore.

"show authen sessions" for this port shows everything good:


show authentication sessions int gig9/48
            Interface:  GigabitEthernet9/48
          MAC Address:  000d.1234.5678
           IP Address:  10.aa.bb.cc.dd
            User-Name:  00-0D-12-34-56-78
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  zzz
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A540423000015FE74510567
      Acct Session ID:  0x00001608
               Handle:  0x34000609


Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Failed over


When i shutdown and reenable the interface, show auth sessions changes to:


show authentication sessions int gig9/48
            Interface:  GigabitEthernet9/48
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A5404230000160676F62524
      Acct Session ID:  0x00001613
               Handle:  0x24000610


Runnable methods list:
       Method   State
       mab      Running
       dot1x    Not run


After a variable time period (sometimes 2 minutes, sometimes 2 hours) the port learns or sees the

mac address again, authenticates it and pings start to respond again, but also for a variable time period only

and the whole thing starts over (pings lost, ......)


I guess this is a .1x issue, because if I configure the port as a normal switchport (mode access, access vlan "zzz", span portfast),

the devices show no problems at all, always reachable, no packets lost.


Did I miss anything ??


Anyone encountered any similar problems ???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
MAGNUS SVENSSON Fri, 10/01/2010 - 01:04
User Badges:

Hi, I have experiensed a similar problem, I have a C4506 sup 4, with gig interfaces. I have ACS5.1 and if I enable dot1X on a access-port it works fine in multi-host mode but when I switch to multi-domain it stops working, the pc and phone gets an IP address but they are not able to communicate, not even pinging the default GW. Directiy after the switch to multi-domain (from multi-host) the phone and pc works but if i do a shut no shut on the interface it stops working. I have logged a case with TAC and wating for an answer. I run the latest release 12.2(54)


/ Magnus

Actions

This Discussion

Related Content