I have implemented 802.1x on 2960 SW trunked to another 4503 SW. Now, the PC connecting to the 2960 switch port where the .1x is enabled passes the authentication successfully but is failing to get a DHCP. I am currently using my 4503 SW as a DHCP server.
When I configure the port of the failing user statically to the same VLAN I need him to be into (VLAN 40), he successfully gets an IP address!! I can see him being sucessfully authenticated in the ACS log but could not figure out why he failed to get DHCP.
Here are the configuration I have on both switches for this part:
This is a problem due to the dot1x timers,for sure, if u have done all basic vlan & dhcp stuffs right. Let me explain what happens here:
with the default dot1x time-out values, the laptop takes around 90 secs to get the guest-vlan assigned. This includes the quiet period, Tx timeout, retransmission timeout etc. Now, when this 90 secs process happens, the DHCP broadcast stops happening, since DHCP server sees broadcast only for around 62 secs. So , after the VLAN assignment (after 90 secs), the users dont get IP address from the DHCP server, until they manually do a "ipconfig/renew". To knock out this issue, we have to tune the dot1x timers a little and somehow make the VLAN assignment below 62 secs. For eg, if we tune the Tx timeout to 15 secs, the total time taking for the VLAN assignment comes down to 45 seconds, and the IP address assignment happens through DHCP.
you can use the command "dot1x timeout tx-period 15" on the switch port,to bring down the total time taken to get the guest vlan to 45 and everything will work fine.
Hope this helps.. all the best . rate replies if found useful.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...