This weekend we have upgraded the ios on quite a few switches on a larger site, the site is a mix of 2960 and 3560 switches and the previouse ios versions were 12.2.44 on most switches but some had an older 12.2.25.
On monday when we came into work we got a call that most of the ports on these switches were an amber color and most people could't use the network.
After some investigation we discovered that we had a problem with dot1x so for a quick solution we just removed it from the switches and restarted all the ports with no dot1x enabled, this solved the problem but we can't really figure out what exactly caused this to happen in the first place.
Our config looked like this:
aaa group server radius etsdot1x
server xxx.xxx.xxx.xxx auth-port xxxx acct-port xxxx
server yyy.yyy.yyy.yyy auth-port yyyy acct-port yyyy
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group etsdot1x
aaa authorization exec default group tacacs+ local
aaa authorization network default group etsdot1x
aaa accounting dot1x default start-stop group etsdot1x
and on the ports themselves:
switchport access vlan 20
switchport mode access
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 30 0 0 0
authentication port-control auto
dot1x pae authenticator
spanning-tree bpduguard enable
service-policy input PC-PORT-QOS-IN
if anyone could pitch any ideas as to why this might have happened ...
Unfortunately I didn't have the chance to look at the logs on the servers yet, they are being administrated by a different department and I couldn't get in touch with them yet. I suspect that the problem was something with reachability of the servers at the time as well but I just wanted to run the config by others in the meantime to make sure I didn't miss something else.
Also, no, we don't use MAB, that's the only dot1x related config we have.
So assuming the servers were reachble, is there any other factor that could prompt this reaction from the switches after an IOS upgrade?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :