Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3850/NGWC and OS X 802.1x profiles

Hi all,

Some background: We are working on deploying some3850's as Mobility Agents, talking to an upgraded 5508. Our SOE Mac's have a very basic 802.1x profile installed that defines the desired SSID and auth method.

In testing, we have logs showing the machines are authenticated, and I can see DHCPDISCOVER's leaving the switch - but no DHCPOFFER comes back. Machines without the profile are better at joining the SSID and authenticating, but still occasionally have the same issue.

Our 3850 config is pretty simple, can anyone think of something we're missing?

aaa new-model
aaa group server radius radgroup
 server name radserver
aaa authentication login default local
aaa authentication login radgroup group radgroup
aaa authentication dot1x wifi-dot1x group radgroup
aaa authorization exec default local 
aaa authorization network dot1x-auth group radgroup
aaa accounting dot1x default start-stop group scotchplc

! <snip>

dot1x system-auth-control

radius server radserver
 address ipv4 auth-port 1812 acct-port 1813
 key 7 <key>

wlan Staff-wifi 1 Staff-wifi
 client vlan Quarantine
 ip dhcp server
 security dot1x authentication-list wifi-dot1x
 session-timeout 1800
 no shutdown



Everyone's tags (3)

Is there an IP helper address

Is there an IP helper address on the SVI that points to the DCHP server that has the correct scope? If the DHCPdiscover is going out, but no offer is coming back, would look more like a network or DHCP issue.




HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered