3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls

Hi,
I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access.  If they fail, then they are denied.  And this works correctly.  However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet.  I'm looking for some suggestions on what would be the best way to do this from a policy standpoint?  Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in.  Any help is appreciated.
Thanks....

Hello. I can think of two solutions to your requirement:
#1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
#2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
  (config-if)#authentication event fail action authorize vlan  guest_vlan_id
Thank you for rating helpful posts! 

Similar Messages

  • Why can't I extend my wired TC port with linksys switch?

    Why can't I extend my wired TC port with linksys switch?

    Temporarily, connect a laptop to one of the LAN <-> ports on the TC using an Ethernet cable. Turn off wireless on the laptop. Can the laptop connect to the Internet?
    If yes, you know the port is working and the Ethernet cable is working.
    If yes, connect the switch to the same Ethernet cable. I assume that you are using an "unmanaged" switch. Some switches may need to be powered off and restarted.
    If no on the first test, try another Ethernet cable that you know is working. Try another LAN <-> port as well.
    The whole idea is to start at the TC and work outward step by step, checking each connection and step along the way.

  • ACS 5.3 Dot1x for Wired/Wireless

    Hi Community,
    I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
    My questions are
    1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
    2.       If Yes can someone point out to any good docs that can help  ?
    Regards,
    Hammad

    Hi Jatin,
    Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
    I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
    I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
    #$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: ABC\shuser
                   Status: Authz Success
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
            Vlan Policy: N/A
                 ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010548A006AC
         Acct Session ID: 0x000007A4
                   Handle: 0xA1000106
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    CS01#
    CS01#
    CS01#$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: host/TESTPC01.sportshub.com.sg
                   Status: Authz Failed
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
             Vlan Policy: N/A
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010648A11C04
         Acct Session ID: 0x000007AD
                   Handle: 0x61000107
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    ================================
    SWITCH PORT CONFIG:
    int ten1/1/9
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    authentication host-mode multi-auth
    authentication violation restrict
    dot1x timeout tx-period 10
    dot1x timeout quiet-period 20
    authentication timer reauthenticate server
    dot1x max-reauth-req 3
    Regards,
    Hammad

  • Wired 802.1X with ISE | Some computers cannot be authenticated

    Hi,
    We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.
    The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same:
    interface GigabitEthernet2/19
    switchport access vlan 999
    switchport mode access
    authentication event no-response action authorize vlan 111
    authentication host-mode multi-domain
    authentication port-control auto
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 5
    But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more:
    So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
    It is really wired as most of the computer can be authenticated without any issues.
    Thanks in advance for your help.
    /Laurent

    I continued the debugging with the following debugs:
    debug dotx1 all
    debug authentication events
    And now I see the following interesting difference between the 2 clients:
    This one works:
    Aug 30 09:12:06.245: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for bc5f.f439.21ca
    Aug 30 09:12:06.245: AUTH-EVENT: auth_mgr_idc_insert_key_in_record: update mac bc5f.f439.21ca
    Aug 30 09:12:06.245: AUTH-EVENT (Gi3/34) Sending NEW_MAC to dot1x (handle 0x5E0001D2)
    !! output suppressed - results in success
    This one does NOT work:
    Aug 30 09:14:22.247: dot1x-ev(Gi3/34): New client detected, issuing Start Request to AuthMgr
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Received 'START_REQUEST', current method is dot1x (handle 0x00000003)
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) Start request by method "dot1x" for 3860.775d.cf06
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC 3860.775d.cf06 moved from Gi1/2
    Aug 30 09:14:22.247: AUTH-EVENT (Gi3/34) MAC move action is deny
    !! output supressed - results in failure
    Both clients are testet one at a time on interface Gi3/34.
    The inteface that denies the MAC move action is Gi1/2. This is an interface connected to another network that both of the clients was previously connected to, before connecting them to the Dot1X network (In this case, interface Gi3/34)
    So now the question is what the MAC move action tries to do, and why it is denied...
    If i do a MAC-address table lookup of the affected address, it gives nothing! The MAC is not associated to interface Gi1/2 int the MAC table, even though this is where the auth-manager tries to move it from:
    SW_3.sal#sh mac add add 3860.775d.cf06     
    No entries present.
    If the MAC is not present in the address-table, how can it be associated to Gi1/2 ?
    I found out that the following command clear "whatever state" is inconsistent:
    clear authentication sessions mac xxxx.xxxx.xxxx
    And now the client can access the network!

  • Wired Guest CWA with ISE

    Having a heck of a time getting this to work.
    First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
    If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
    My challenge is the Policies and where to insert.
    I'm using Policy Sets in ISE 1.2
    Currently, I have these statements in the Default Policy Set:
    Rule Name
    Conditions
    Permissions
    Wired Guest Portal Auth
    if Net Access:UseCase EQUALS Guest Flow
    Permit Access
    Wired Guest Redirect
    if Wired_MAB
    Wired CWA
    What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
    Couple problems:
    First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
    Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
    Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode.  This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
    Does anyone have any insight, or a document laying out in step by step terms implementing this?
    thanks in advance.

    Hi Andrew! Yes, good job on fixing the portal issue!
    And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
    Lastly, yes, your CWA rules should be at the bottom of your production authorization rules. 
    Thank you for rating helpful posts!

  • Wired guest vlan with ISE

    Hi all,
    For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
    Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
    Thanks
    Sent from Cisco Technical Support iPad App

    I will try to answer all of your quesitons:
    1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
              - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
    2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
              - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
    3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
              - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

  • 802.1x EAP-TLS for wired users with ACS 5.5

    Hi All,
    We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
    We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
    Kindly suggest on how to get certificates for clients both manually as well as automatically?
    Thanks,
    Vijay

    Hi Vijay,
       for the Wired 802.1x (EAP-TLS) you need to have following certificates:
    On ACS--- Root CA, Intermediate CA, Server Certificate
    On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
     I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
    In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
    This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
    In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
    Cheers
    Minakshi(rate the helpful post)

  • Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

    Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
    certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
    We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
    they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
    ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
    1. Fail over to a disaster recovery authentication server if Corporate connection goes down
    and:
    2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
    for the authentication and so on.
    What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
    nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

    Re-authentication could be triggered by the NPS, the switch / AP or the client:
    NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
    a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
    Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
    Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
    Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
    when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
    It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
    I would recommend to carefully test it with a pilot group of users.
    Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely?

  • UC520 SNMP change fast ethernet switch port vlan

    Hi,
    I've a UC520 running with uc500-advipservicesk9-mz.151-4.M5. I try to change VLAN on the switchport using snmp however look like the UC520 doesn't support "vmVlan".
    snmpwalk -v 1 -c private 10.1.1.1 ifDescr
    IF-MIB::ifDescr.4 = STRING: FastEthernet0/1/1
    snmpset -v 1 -c private 10.1.1.1 1.3.6.1.4.1.9.9.68.1.2.2.1.2.4 integer 151
    Error in packet.
    Reason: (noSuchName) There is no such variable name in this MIB.
    Failed object: SNMPv2-SMI::enterprises.9.9.68.1.2.2.1.2.4
    Does anyone know what is the MIB for change switch port vlan ?
    Rg,
    Gerald.

    What do you mean by dumb siwthc? What model/make/company is that switch?
    Can you try to do the reset of the switch so that it wipe off all the config what so ever present on the box and then try to connect the switch to the router?

  • EAP-TLS wi-fi net for PC and iPhone

    Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
    We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers  and mobile devices (iPhones, Nokia Symbian, Android devices).
    The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
    I have 2 testing computers with wi-fi adapters: one is connected to the  domain (has a wire connection), another has a local account, and an  iPhone. I customized the settings on these computers,iphone, AP and ACS. 
    We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
    I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
    "EAP-TLS or PEAP authentication failed during SSL handshake".
    "EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
    Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
    So I think the reason is that only domain  devices are allowed to join the net. How can I change this thing?
    Another variant is that I issue the certificates first to wired domain computers and then export  them to non-connected to domain devices so they have inappropriate credentials.
    Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

    The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

  • Limit the number of session per user in the Wired dot1x environment with ISE 1.2

    Hello,
    I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
    I need to check if this feature is available or not to solve the following scenario:
    I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
    If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
    The case, that I need to deny the same user to connect on a different machine with the same credentials.
    The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
    Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
    Thanks.

    limit number of session per user using wired dot1x is not available in 1.3

  • I have a current 2TB Time Capsule. I would like to add more ethernet ports for needed expansion. Will an Airport Extreme conflict with the Time Capsule for needed ethernet ports and will wireless from both units conflict?

    I own a current 2TB Time Capsule and I need to expand my network system to include more ethernet (wired) ports. I am considering an Airport Extreme that would give me enough wired ports. Will the wireless capabilities of both units conflict with each other? I only need one wireless network. Thank you for any help.

    While you could certainly add an AirPort Extreme to provide additional Ethernet ports, you could also save about $150 by purchasing an inexpensive switch, such as one of these:
    http://www.amazon.com/D-Link-DGS-1005G-5-Port-Gigabit-Desktop/dp/B003X7TRWE/
    http://www.amazon.com/TRENDnet-Unmanaged-GREENnet-Auto-Negotiation-Auto-MDIX/dp/ B001QUA6R0/
    Consumer grade Ethernet switches typically come in five and eight port configurations. Just be aware that a five port switch only conveys the ability to add three additional devices. An eight port switch conveys the ability to add six additional devices.
    An 8 port switch provides twice the capacity of a 5 port switch for considerably less than twice the cost. The price difference between the two is often only $10 or so.
    I just checked, the 8 port version of the Trendnet switch above costs exactly $4 more.
    An AirPort Extreme is a very flexible full featured wireless router, and would provide three additional LAN ports for wired devices. If all you need is a few more ports though, it's overkill.

  • Help needed with printer settings for wired ethernet connection

    I'm hoping someone can help me with a network printing issue. I have a large format color laser printer (Tektronix Phaser) and since moving to OS 10.6 I can't figure out how to configure the printer so that the system sees it. I have a simple wired ethernet network with a couple of Macs and a couple of printers. All devices are connected via a switch. When using earlier OSs I was able to connect to the Phaser using Ethertalk. Obviously this is no longer supported and I can't figure out how to set the printer so the OS can see it. I have lots of options which can be turned on or off and in some cases set up in other ways: Ethertalk, IPX, Netware, TCP/IP, DNS, LPR, HTTP and remote internet printing, I've tried messing with these but the result is always the same--system doesn't see the printer. Currently Ethertalk is on, IPX and Netware are off, TCP/IP is on, DNS and LPR are on, as are AppSocket, HTTP, FTP and remote internet printing. I can change the IP address but no matter what address I've tried I cannot ping the printer. (I'm using a Gutenprint driver for this printer.)
    I don't really know enough about all this to get anywhere and I haven't been able to find help anywhere even from tech friends. Xerox won't help me and neither will Apple. Any help would be appreciated. I can supply more detail on specifics where necessary. Thanks, Bob

    Old Phaser models may becoming more and more difficult to use, but you can give this a try.
    1. Configure the printer via front panel to use TCP/IP and enable DHCP if it's supported. If not then you will need to configure an IP address for the printer together with your local network's mask, and gateway IP address. Except for the first the others will be provided by opening Network preferences to see what those settings are. The printer's IP address needs to be set somewhere within the range of IP addresses your router provides locally.
    2. You need the PPD file required for your printer. If you have the Phaser driver installer you can use it to install the PPD or you can extract the specific PPD from the installer package. This part is tricky because I don't know where you may find the driver now if you don't have the installer. The older installers can be accessed through the Finder by selecting the package then CTRL- or RIGHT-click and select Show Package Contents from the contextual menu. You can then rummage through the package to search for the PPD for your printer. Then navigate to the /Library/Printers/PPD/Contents/Resources/ folder and drop the PPD file inside.
    3. Open Print & Fax preferences and click on Add [+] to add a new printer. Click on the IP icon in the toolbar. Select Line Printer Daemon - LPD from the Protocol drop down menu. Input the IP address you assigned the printer in the Address field. You can file in the optional fields that follow. Then from the Print Using drop down menu locate the listing for your printer and select it.

  • Looking for an Access Point with 2 Ethernet ports

    Hi,
         I am looking for an AP with two ethernet ports. Is there any model of Cisco is available with 2 ethernet ports?
    Regards,
    Noman

    pros:
    If an access swich/switch port failed then AP still forward traffic through other switch once power restored through other port.
    when PoE failed on its connected switch, it may still work via other port.
    Having two ethernet port on AP may require to talk to different switches/stack to achieve AP port redundancy through lag or stateful switch over when cable/switch/AP port failure.
    if one physical port become bad on AP, it can be still used with other.
    (However, AP/physical port failure can be takencare at RF level using self healing.)
    cons:
    require additional switch and its config maintanece
    currently, AP doesn't require 2 physical port for data transfer perspective.
    Require x2 PoE ports.
    Additional port increases the cost on AP.
    it is possible cisco may make it in future.

  • Switch port in dot1x multi-auth mode stops passing traffic

    Dear All,
    I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
    interface GigabitEthernet2/34
    switchport mode access
    ip arp inspection limit rate 30
    authentication host-mode multi-auth
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x max-reauth-req 6
    spanning-tree portfast
    ip verify source vlan dhcp-snooping
    end
    It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
    Did anyone experience a simmilar problem? Any advice?
    Thanks.
    Mirek

    We have the same issue on 3750E switch running 12.2.(58)SE

Maybe you are looking for