Switch port in dot1x multi-auth mode stops passing traffic

Dear All,
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
interface GigabitEthernet2/34
switchport mode access
ip arp inspection limit rate 30
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 6
spanning-tree portfast
ip verify source vlan dhcp-snooping
end
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
Did anyone experience a simmilar problem? Any advice?
Thanks.
Mirek

We have the same issue on 3750E switch running 12.2.(58)SE

Similar Messages

5505 stops passing traffic with 9.1.3

I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas?

I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas?

Wifi stops passing traffic on original ipad and ipad 2 running ios 5.0.1

I actually just started having this issue with my Original iPad and my iPad 2. From what I'm seeing is not a loss of signal but a loss of connectivity, they just stop passing traffic. When this is happening its sometimes to both iPads but not always. And both our iPhones do not experience the issue while the iPads are having the problem. (all devices running ios 5 and connected to the same AP). Wired devices also do not have any issues wile this is happening to the iPads.
What I have tried so far:
1. Changing Channels on the AP to a less congested channel (didn't help)
2. Shutting wifi off on ipad, then turning back on, solves issue for a random amount of time, then it happens again
3. Rebooting ipad, sometimes does not help at all until you turn off the radio on the ipad, then back on
I was ready to get a new router/ap but after reading some other comments, this may be an issue with other people.

I have exactly the same issue on my brand new iPad2 running iOS5.
I have also changed the channel, tried different settings, etc. to no avail.
It tends to happen when streaming video - Skype, YouTube. Also during movie downloads.
My pc does not have this problem.
We're you able to find a reliable solution?
Thanks!

Multi-auth and broadcast traffic

I was talking with a co-worker about multi-auth host mode and we are wondering how does it handle broadcast traffic. So if we have a switch port set to multi-auth and we are doing dynamic vlan assignment. Say you have an esx host device running 5 vm instances, if three of them pass and get assigned vlan 32, the other two fail and get assigned vlan 86. When a broadcast goes out on vlan 32, will the devices that are in vlan 86 see the broadcast traffic?

Anybody have an idea?

Authentication Host-Mode Multi-Auth not working

hi
In my lab environment I configured 802.1x with "Multi-Auth" mode for multiple clients on a single protected port to be authenticated agains Microsoft NPS AAA server.
Switch ports configured with Single-Host or Mult-Host options are working fine but "Multi-Auth" mode its not working. My hardware details and configurations are as follows
Catalyst Model = WS-C2960S-24TSL running IOS 12.2(55)SE2
Current configuration : 10423 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa group server radius NPS
server-private x.x.x.x auth-port 1645 acct-port 1646 key <removed>
aaa authentication dot1x default group NPS
aaa authorization network default group NPS
aaa session-id common
switch 1 provision ws-c2960s-24ts-l
authentication mac-move permit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport voice vlan 98
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x
authentication port-control auto
dot1x pae authenticator
interface GigabitEthernet1/0/7
switchport access vlan 5
switchport mode access
authentication host-mode multi-host
authentication order dot1x webauth
authentication priority dot1x webauth
authentication port-control auto
authentication timer reauthenticate 7200
authentication violation protect
dot1x pae authenticator
spanning-tree portfast
interface Vlan5
ip address x.x.x.x x.x.x.x
interface Vlan98
no ip address
radius-server vsa send accounting
radius-server vsa send authentication
end
My debug log for Authentication, dot1x and AAA is as follows.
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) dot1x_pm_mda_port_link_linkcomingup: voice VLAN 98, data VLAN 5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Setting domain ALL to UNATHED
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: dot1x-ev(Gi1/0/5): Interface state changed to UP
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Enabling dot1x in switch shim
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Received clear security violation
*Mar 1 01:58:51.354: AUTH-EVENT (Gi1/0/5) Link UP
*Mar 1 01:58:51.360: AAA/BIND(00000004): Bind i/f
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Assigned AAA ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Retrieved Accounting Session ID 0x00000004
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Allocated new Auth Manager context (handle 0x83000002)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Initialising Method dot1x state to 'Not run'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Adding method dot1x to runnable list for Auth Mgr context 0x
*Mar 1 01:58:51.360: AUTH-EVENT: auth_mgr_idc_add_record: Recv audit_sid=0000000000000002006CD0E0
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Sending START to dot1x (handle 0x83000002)
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: initial state auth_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_initialize_enter called
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_initialize, got event 0(cfg_auto)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_initialize -> auth_disconnected
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_disconnected_enter called
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: idle during state auth_disconnected
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_disconnected -> auth_restart
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Sending create new context event to EAP for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has enter
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_initialize_enter called
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: initial state auth_bend_initialize has idle
*Mar 1 01:58:51.360:     dot1x_auth_bend Gi1/0/5: during state auth_bend_initialize, got event 16383(idle)
*Mar 1 01:58:51.360: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_initialize -> auth_bend_idle
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Created a client entry (0x4100002D)
*Mar 1 01:58:51.360: dot1x-ev(Gi1/0/5): Dot1x authentication started for 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Received handle 0x4100002D from method
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Idle' to 'Running'
*Mar 1 01:58:51.360: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Not run' to 'Running'
*Mar 1 01:58:51.360: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/5
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting !EAP_RESTART on Client 0x4100002D
*Mar 1 01:58:51.360:     dot1x_auth Gi1/0/5: during state auth_restart, got event 6(no_eapRestart)
*Mar 1 01:58:51.360: @@@ dot1x_auth Gi1/0/5: auth_restart -> auth_connecting
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_enter called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): 0x4100002D:auth_restart_connecting_action called
*Mar 1 01:58:51.360: dot1x-sm(Gi1/0/5): Posting RX_REQ on Client 0x4100002D
*Mar 1 01:58:51.365:     dot1x_auth Gi1/0/5: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
*Mar 1 01:58:51.365: @@@ dot1x_auth Gi1/0/5: auth_connecting -> auth_authenticating
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_enter called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_connecting_authenticating_action called
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): Posting AUTH_START for 0x4100002D
*Mar 1 01:58:51.365:     dot1x_auth_bend Gi1/0/5: during state auth_bend_idle, got event 4(eapReq_authStart)
*Mar 1 01:58:51.365: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_idle -> auth_bend_request
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:58:51.365: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:58:51.365: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:58:51.365: EAPOL pak dump Tx
*Mar 1 01:58:51.365: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:58:51.365: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:58:51.365: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:58:51.365: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_request_action called
*Mar 1 01:58:53.352: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:58:54.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/5, changed state to up
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:22.188:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:22.188: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:22.188: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:22.188: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:22.188: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:22.188: EAPOL pak dump Tx
*Mar 1 01:59:22.188: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:22.188: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:22.188: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): Posting EAP_REQ for 0x4100002D
*Mar 1 01:59:53.016:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 7(eapReq)
*Mar 1 01:59:53.016: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_request
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_request_action called
*Mar 1 01:59:53.016: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_enter called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending EAPOL packet to group PAE address
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Role determination not required
*Mar 1 01:59:53.016: dot1x-registry:registry:dot1x_ether_macaddr called
*Mar 1 01:59:53.016: dot1x-ev(Gi1/0/5): Sending out EAPOL packet
*Mar 1 01:59:53.016: EAPOL pak dump Tx
*Mar 1 01:59:53.016: EAPOL Version: 0x3 type: 0x0 length: 0x0005
*Mar 1 01:59:53.016: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
*Mar 1 01:59:53.016: dot1x-packet(Gi1/0/5): EAPOL packet sent to client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received an EAP Timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting EAP_TIMEOUT for 0x4100002D
*Mar 1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: during state auth_bend_request, got event 12(eapTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_request -> auth_bend_timeout
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_timeout_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_request_timeout_action called
*Mar 1 02:00:23.844:     dot1x_auth_bend Gi1/0/5: idle during state auth_bend_timeout
*Mar 1 02:00:23.844: @@@ dot1x_auth_bend Gi1/0/5: auth_bend_timeout -> auth_bend_idle
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_bend_idle_enter called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): Posting AUTH_TIMEOUT on Client 0x4100002D
*Mar 1 02:00:23.844:     dot1x_auth Gi1/0/5: during state auth_authenticating, got event 14(authTimeout)
*Mar 1 02:00:23.844: @@@ dot1x_auth Gi1/0/5: auth_authenticating -> auth_authc_result
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authenticating_exit called
*Mar 1 02:00:23.844: dot1x-sm(Gi1/0/5): 0x4100002D:auth_authc_result_enter called
*Mar 1 02:00:23.844: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Sending event (2) to Auth Mgr for 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AUTHC_RESULT from dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authc Result: no-response
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Running' to 'Authc Failed'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Existing AAA ID: 0x00000004
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Received AAA ID 0x00000004 from method
*Mar 1 02:00:23.844: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
*Mar 1 02:00:23.844: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending AUTHZ_FAIL to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Received Authz fail for the client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Method dot1x changing state from 'Authc Failed' to 'Failed over'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Sending DELETE to dot1x (handle 0x83000002)
*Mar 1 02:00:23.844: dot1x-ev(Gi1/0/5): Deleting client 0x4100002D (0000.0000.0000)
*Mar 1 02:00:23.844: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) No more runnable methods
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'Authc Failed' to 'No Methods'
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Building default attribute list for unresponsive client
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Signalling Authc fail for client 0000.0000.0000
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.844: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Gi1/0/5 AuditSessionID 0000000000000002006CD0E0
*Mar 1 02:00:23.844: AUTH-EVENT (Gi1/0/5) Client 0000.0000.0000, Context changing state from 'No Methods' to 'Authz Failed'
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Signalling Authz fail for client 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) dot1x_switch_authz_fail: Called for GigabitEthernet1/0/5 and 0000.0000.0000
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Host access set to ask on unauthorized port since feature
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) host access set to 1 on GigabitEthernet1/0/5
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Setting domain DATA to UNATHED
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Authorized client count: 0
*Mar 1 02:00:23.849: AUTH-SYNC (Gi1/0/5) Syncing update for context (0000.0000.0000)
*Mar 1 02:00:23.849: AUTH-EVENT: Started Auth Manager tick timer
*Mar 1 02:00:23.849: AUTH-EVENT (Gi1/0/5) Started 'restart' timer (60s) for client 0000.0000.0000
*Mar 1 02:00:23.849: dot1x-sm(Gi1/0/5): Posting_AUTHZ_FAIL on Client 0x4100002D
*Mar 1 02:00:23.849:     dot1x_auth Gi1/0/5: during state auth_authc_result, got event 22(authzFail)
*Mar 1 02:00:23.849: @@@ dot1x_auth Gi1/0/5: auth_authc_result -> auth_held
*Mar 1 02:00:23.849: dot1x-ev:Delete auth client (0x4100002D) message
*Mar 1 02:00:23.849: dot1x-ev:Auth client ctx destroyed
*Mar 1 02:00:23.849: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

Multiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

Dot1x machine auth before user auth required

We are looking at setting up dot1x in our libraries however I have been asked to see if there is a way to force a switch port to require machine auth before user auth. The reason for this is a problem we have that users will disconnect the ethernet cable from the library computer and plug it into theirs. If they have an AD account, they could in theory authenticate on this port. We want to discourage them from disconnecting these ports as we then don't know the computer has been unplugged and then it is no longer on the network and doesn't get updates/ghosted.
Also, would it maybe be better to just allow a specific group of user accounts to connect to these jacks, and if so what would be the best way? Location settings on the port?
We are using ISE 1.2 to do authentication for these switches.

Hi Zach-
There are several different ways to prevent non-domain computers from gaining access to the network. I will try to list a few of them starting with the easiest and least expensive/labor intensive methods:
1. Do only Machine-based authentication. This eliminates the user from having to enter credentials and ISE will simply query AD for valid computer domain membership.
2. Use EAP-Chaining. This is the only method that truly gives you user+machine authenticaiton. However, it does require that you push the Cisco Any-Connect client to all endpoints
3. Deploy PKI and use EAP-TLS authentication with Digital Certificates. With this method only domain computers/users can get a certificate and ISE can still query AD for user or machine AD membership
4. Perform Posture and check for something that is domain specific. For instance, a fake registry key or file that is being created when a machine joins to the domain. With this method ISE can still ask for User authentication but also require posture check. You can then set the policy that if posture fails but user auth succeeds then the user will only get guest access.
I hope this helps.
Thank you for rating!

How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen Hristov

Hi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier

Cascade a switch to a dot1x port

Need help.. I'm trying to cascade a un-managed switch to a parent swith with a dot1x enabled port. IOS Ver of both switches (slave & parent ) are dot1x compliant.
Config Settings of my Parent switch:
dot1x system-auth-control
dot1x guest-vlan supplicant
int f0/15
switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 3
dot1x timeout tx-period 15
dot1x max-req 5
spanning-tree portfast
No configuration is set on my slave switch because I want to do a straightforward cascade. Is it possible ?
Thanks...

I am not sure if this is possible. If you are connecting two switches, then the ports need to be trunk ports. Right? I guess dot1.x will work on the access ports only. Anyone any comments?

Problem with mode switching/Volume Panel in multi-user environment?

As above - using Windows 7 64-bit with an X-Fi Titanium Fatalty card.
All works well as long as I'm the only person logged in, but if my wife logs into the computer (using Windows 7's built-in multi-user mode...'fast user switching', which is enabled by default), and then I log back in...well, the volume panel app doesn't seem to work. In fact, even using the control panel app, I can't regain control of the soundcard enough to switch modes.
Logging her off doesn't resolve the issue, so it seems like something about her logging on (another user logging in, two volpanlu.exe running, something) is causing my instance to go haywire. [FWIW, I'm a 'standard' user on the PC, and her login is a 'limited' user]
Note that 'killing' the task volpanlu.exe in task managed, then going to the Windows services control panel and stopping and re-starting the 'Windows Audio' service, and finally re-launching volpanlu.exe from the start menu DOES always work to resolve the problem (regardless of if she's logged in or not...this always fixes it).
Still, that's a kinda annoyingly large set of steps to always have to go through whenever I want to change audio mode after she's logged in.
Is there any way to fix this? Any setting I could be missing to optimize the X-Fi control panel for multi-user environments? Any of the X-Fi mod dri've packs handle fast user switching better? Any other ideas?

GA little bit more tinkering around this, and I have some more information:
- Once I "seize control" (the kill of volpanlu, restart 'Windows Audio' service, re-launch volpanlu), if my wife logs back in, now *she* can't change the audio mode

802.1x "MachineorUser" Auth Mode strange behavior in 2950 & 3750 Switches

Good Day Support Team around the world,
Having started recently tests with 802.1x in a lab environment, I noticed a strange behavior related to authentication. First let me provide you with the network components I used.
supplicant:                    domain-joined laptop with Windows XP SP3 802.1x embedded client
authenticator1:              Cisco 2950-24
authenticator2:              Cisco 3750-24
authentication server:     MS NPS Windows Server 2008
1.     In the first scenario with 3750 switch when I connect the laptop to relevant port the machine authentication is successful. Then I try to login with a domain account and again the authentication is completed without any problem. Then I log off and user authentication is revoked and the machine authentication is used again without any issue. When I try to login again as local user the authentication fails as expected but the port remains disabled (port blinking amber) regardless the fact that port is configured for Auth-Fail Vlan. When I log off then the machine authentication is used again and the access is granted.
2.     In the second scenario with 2950 switch as authenticator, I follow the same steps as before and when I try to login as local user the authentication is failed and the port is assigned the Auth-Fail Vlan (as expected based on configuration). However when I log off it seems that the 2950 switch still use the Auth-Fail Vlan for that port and never authenticates again for machine authentication.
Could you please let me someone know if this is normal ( I suppose no). Please find attached the relevant debug output from the second scenario.
Thank you!!!

Hi,
basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.
EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:
Mar 6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41
Mar 6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes
Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.
And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.
Best regards,
Josef

Dot1x mac-auth-byass not supported on 2950 switches

Hi all
I have 2950-24 and 2950SX-24 switches. I upgraded them to the Latest IOS version availlable on cisco site(12.1(22)EA11).
We deployed the mac authentication bypass technology in our organization. The problem is the commands (dot1x mac-auth-bypass) and (dot1x critical) are not supported in this version.
How can we solve this issue. I have many switches having this problem
I appreciate your quick response and thanks on advance.
Thanks

Dear Sir
Are you sure. why it is not supported on 2950 and it is supported on 2940 platforms?
check the below link please. I want to know why cisco doesn't support these important features on this 2950 platform.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11/release/notes/OL14991.html#wp1000099
Thanks in advance,

802.1X Authentication issues when moving between switch ports

Hi Guys,
We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
My configuration we have on the switch ports look as follows:
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
Your help is greatly appreciated.
Grant

Hi Neno,
Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
Here is the config:
aaa group server radius customer-nps
server name radius1
server name radius2
aaa authentication dot1x default group radius
dot1x system-auth-control
radius server radius1
address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
key 7 05392415365959251C283630083D2F0B3B2E22253A
radius server radius2
address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
key 7 107C2B031202052709290B092719181432190D000C
interface GigabitEthernet1/0/1
switchport access vlan 300
switchport mode access
switchport voice vlan 2
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust cos
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
spanning-tree bpdufilter enable

Multi Seat Mode - Multiple X Servers on 1 Machine

I need to configure a SunBlade 2000 configured with an XVR1000 graphics board to be used by 2 people simultaneously with the own keyb & mouse.
To summarize :
1 Sun Blade 2000
1 Xvr1000
First Port connected to one monitor /dev/fbs/gfb0a
Second Port Connected to a second monitor /dev/fbs/gfb0b
2 Keyb & 2 mouse connected to the 4 USB ports
The 2 monitors must be handled by to istances of X server (2 dtlogin prompt) so the 2 people can work
indipendently.
I tried the following procedure with NO success.
Does anybody can help me ?
Thanks in advance
Luigi Paganini
=============================================================================
In recent versions of Solaris, the Xsun keyboard & mouse DDX modules
have been extended to support multiple keyboards and mice on Solaris.
The Xorg server on Solaris x86 has similarly been extended to support
multiple mice, but not yet multiple keyboards.
Unfortunately, this is not a very well documented feature, though it is
supported - but you must pay close attention to the configuration
instructions and Limitations described below.
There are currently two choices for configuring X on a machine with
multiple input devices:
* One X server with the extra devices available via the X Input
extension (commonly used for accessibility helper programs, or for x86
laptop users)
* Multiple X servers, each with its own set of input & output
devices ("multi-seat" mode)
The two methods can be mixed on a single machine - when configuring you
simply need to determine which X server each device is going to be
associated with.
Requirements
* Solaris 9 FCS or later (SPARC or x86)
* USB-capable machine
* For Solaris 9, USB patch 115338-01 (sparc)/115339-01 (x86) or
newer. For Solaris 10, s10_17 or newer.
Limitations
Due to the nature of USB and Sun's implementation, USB devices may get
different numbers when initialized or hot-plugged in a different order.
A partial solution is to use the full path name under the /devices
hierarchy - this is tied to the physical port a device is plugged into,
so the order is no longer a problem, but devices must always be plugged
into the same port this way.
Xsun Configuration
The following sections may be added to either
/etc/openwin/server/etc/OWconfig or /usr/openwin/server/etc/OWconfig.
Xsun reads both when starting up and merges their contents.
* 1. Run ls -l /dev/usb/hid* to see what the existing device names are.
* 2. Attach the additional input devices to the machine
* 3. ls -l /dev/usb/hid* to see what the newly attached device names
are. Note at the end of each symlink line it will list whether it is a
keyboard or a mouse.
* 4. Add lines of the following form to OWconfig, one for each
device, and each with a unique name beginning with "IMOUSE" or "IKBD":
# sun Keyboard module
class="XINPUT" name="IKBD2"
dev="/dev/usb/hid2" strmod="usbkbm"
ddxHandler="ddxSUNWkbd.so.1"
ddxInitFunc="ddxSUNWkbdProc";
# sun Mouse module
class="XINPUT" name="IMOUSE2"
dev="/dev/usb/hid3" strmod="usbms"
ddxHandler="ddxSUNWmouse.so.1"
ddxInitFunc="ddxSUNWmouseProc";
* 5. To configure multiseat mode, add a section to OWconfig to
associate each keyboard, mouse, and frame buffer with a specific display
(in this case ":1"):
class="XDISPLAY" name="1"
coreKeyboard="IKBD2" corePointer="IMOUSE2"
dev0="/dev/fb1";
* 6. Test your configuration. For multiseat mode, run an Xserver on
the display you listed (xinit :1 or add a line for :1 to
/etc/dt/config/Xservers ). For use with the X input extension, restart X
and run xinputdev -l (source code here) to list the devices the server
sees. You can also run xinputdev -k & xinputdev -m to switch your core
keyboard and mouse to the specified devices.

The report gets called via the rwservlet (hope that answers your question correctly)
The application is in OAS.
The separation i require is both in the database and the reports themselves.
For example let's say i have devapp and testapp - both the exact same app. But they both need to access reports under the same key, but the report needs to get its info from its respective dev and test databases. The key is hardcoded so can't change.
If i understand correctly (a big "if"), the cgicmd.dat file tells wich report to grab and which database to connect to based on the key. Is there a way to have separate key map files (cgicmd.dat) called by separate applications? So that devapp will get Report1 using devdatabase, where testapp wil get Report1 using testdatabase?
It may not be possible to do this kind of server consolidation, I just need to know one way or another for sure - and if it is possible, how to proceed.

Template(best practice) for Switch ports

Hi,
Looking for best practice advice on switchport config for client facing ports.
We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
For Access Ports(First two should stop DTP I'm hoping?):
switchport mode access
switchport nonegotiate
storm-control broadcast level 20.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 10
And for trunk ports to clients:
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan xxx,xxx
switchport nonegotiate
storm-control broadcast level 20.00
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
spanning-tree guard root
Thanks in advance.

Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
That's Cisco's branch design doc from Design Zone.
For those that want a fast answer:
For VoIP phones and PC:
interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
description phone with PC connected to phone
switchport access vlan 102
switchport mode access
switchport voice vlan 101
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
load-interval 30
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
mls qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 100
For data only:
interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
description DATA only ports
switchport access vlan 102
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
load-interval 30
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 100
That's Cisco's recommendation.
And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

Difference between 802.1x multi-host and 802.1x multi-auth

Hi,
This is a bit confusing for me. Does someone has an easy explanation?
What I understand and looked up for the moment (correct me if I'm wrong):
802.1x multi-host: Good for an AP or a phone setup. Port becomes authorized as soon as one client is authenticated. In this situation the AP or the phone. Aftherwards pc's have access without any further 802.1x action.
802.1x multi-auth: Multiple devices are allowed to independently authenticate through the same port. More secure? Is this good for next setup: I have a 802.1x port on the managed 24p switch, but the customer decides to plug in a non-managed 8p cheap switch on his desk where different pc's will be plugged in. So I have a 802.1x port on the Cisco switch connected to a non-managed 8p switch. I suppose 802.1x multi-host configuration is not a secure option here.
I don't know if I am clear enough. Don't hesitate to ask if not.
Thanks for your reply.

You are right with your understanding.
Multi-Host is a valid solution if a power-user for example is using many VMs on his PC. After authenticating initially, all VMs can communicate with the network.
Multi-Auth is more secure because each MAC address accessing the network is controlled.
A very good overview on 802.1x and the configuration can be found on the Cisco IOS Quick Reference Guide for IBNS.

Switch port in dot1x multi-auth mode stops passing traffic

Similar Messages

Maybe you are looking for