Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Dot1x Port Autnetication Error

I can't get port authentication to work with our ACS 4.0. Cisco 3560 log attached below. I need help!

interface GigabitEthernet0/3

switchport access vlan 10

switchport mode access

mls qos trust dscp

dot1x pae authenticator

dot1x dot1x port-control auto

dot1x timeout server-timeout 60

dot1x reauthentication

dot1x guest-vlan 500

spanning-tree portfast

Global Config

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization network default group radius

dot1x system-auth-control

Any ideas where I need to go to fix would be much appriciated!


Cisco Employee

Re: Dot1x Port Autnetication Error

Are you saying authentication fails when you plug in an 802.1X supplicant to port g0/3? If so, what error does ACS report in doing so?

Also, providing a "sho dot1x int g0/3 details" would help to tell what the switches viewpoint of this is after you plug it in as well.

Let me know more details when you can,

New Member

Re: Dot1x Port Autnetication Error

Yes authentication fails. In windows it says it is validating user and eventually fails authentication.

PTHA-MDF-SW-04#sh dot1x int gi0/3

Dot1x Info for GigabitEthernet0/3



PortControl = AUTO

ControlDirection = Both


ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 60

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

Guest-Vlan = 500

I am not seeing any log entrys in ACS! This is getting to be silly. Why is it so dificult to get a Cisco product to work with a Cisco product. I am about to throw out the ACS box.

Aren't the cisco log enough to at least point me in some direction for troubleshooting?

Cisco Employee

Re: Dot1x Port Autnetication Error

If Windows says it's validating identity, then it's not even replied back to the switch. You're not seeing logs in ACS, since the switch isn't sending ACS anything.

What happened here was something like:

1) EAPOL-Start from client (assumed anyway, but might not be enabled on Windows)

2) EAPOL-Identity-Request from switch to client (at this point, Windows will enter the Validating Identity state).

3) EAPOL-Identity-Response from PC to switch

4) Switch initiates RADIUS

5) Numerous steps beyond here depending on the EAP-type, but you're not getting beyond step2 or some reason.

I would look into why the supplicant isn't responding. Could be that it's enabled for EAP-TLS and there's no cert actually on the machine, for example.

New Member

Re: Dot1x Port Autnetication Error

The windows machine I am testing with is setup to use MD5-Challenge. I have double checked the key. Doesn't the cisco log tell us anything? I am like stuck with no troubleshooting steps to get this working.

Thanks for the help!

CreatePlease to create content