Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dot1x thin client problem

Hi

we are using dot1x with winxp installed PCs. and all working good. But we have also thin clients that you can not run dot1x so we have to use mac auth for thin clients. Thin Clients boots from network. So the problem is we can not get mac address from thin clients. debug is below:

5w3d: dot1x-ev:Host access is 1 on port FastEthernet0/47

5w3d: dot1x-ev:Succeeded in setting host access to denyon FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/47

5w3d: dot1x-ev:dot1x_vlan_assign_client_deleted on interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/47

5w3d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/47 has changed to UP

5w3d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

5w3d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

5w3d: dot1x-ev:Created a default authenticator instance on FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/47

5w3d: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:FastEthernet0/47:Sending EAPOL packet to group PAE address

5w3d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/47.

5w3d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/47

5w3d: dot1x-ev:Received an EAP Timeout on FastEthernet0/47 for mac 0000.0000.0000

5w3d: dot1x-ev:Host access is 2 on port FastEthernet0/47

5w3d: dot1x-ev:Changed host access to ask on FastEthernet0/47

5w3d: dot1x-ev:dot1x_pm_mab_get_mac: set dot1x ask handler on interface FastEthernet0/47

also config:

switchport mode access

switchport port-security maximum 3

switchport port-security violation protect

dot1x mac-auth-bypass eap

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 1

dot1x timeout tx-period 5

dot1x max-req 1

storm-control broadcast level bps 1m

storm-control multicast level bps 1m

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

!

2 REPLIES
Silver

Re: dot1x thin client problem

You can manually assign mac address in your switch port through switchport port-security mac-address mac-address command.

New Member

Re: dot1x thin client problem

I know that solution but we have more than 3000 clients. I want general solution.

Thank you.

1059
Views
0
Helpful
2
Replies