Common Problems and Resolutions
This section examines some commonly found problems and resolutions with the dot1x implementations, which are not discussed in the preceding sections.
1 Are there any restrictions on the types of ports on the switch on which 802.1x can be configured?
Answer: Yes. 802.1x can be configured only on standard Layer 2 access ports. 802.1x cannot be configured on a Trunk port, Private VLAN Trunk (PVLAN) port, EtherChannel port, or Switch Port Analyzer (SPAN) destination port.
2 Why does my DHCP time out when 802.1x is configured on the switch?
Answer: With wired interfaces a successful 802.1x authentication does not force a DHCP address discovery (no media-connect signal) on Windows XP before Service Pack 1a. This produces a problem, as DHCP starts once the interface comes up. Hence if 802.1x authentications take too long, DHCP may time out. So, even though the switch port is in Authorized state, the supplicant will not have any IP address.
3 How do you address the DHCP timeout (DHCP-Timeout at 62 Sec) with 802.1x?
Answer: Using Machine authentication allows the Supplicant to obtain an IP address. For a fix by the patch, you need to have the following service or the previously listed service packs on Windows XP and 2000 operating systems:
Windows XP Service Pack 1a + KB 826942
Windows 2000 Service Pack 4
Updated supplicants trigger DHCP IP address renewal. Successful authentication causes a client to ping the default gateway (three times) with a sub-second timeout. Lack of echo reply triggers a DHCP IP renew. Successful echo reply leaves IP as is. A pre-renewal ping prevents lost connections when the subnet stays the same but the client may be WLAN roaming.
4 Does 802.1x work when Wake on LAN (WoL) is used to turn on computers remotely or to install applications and patches?
Answer: Cisco IBNS supports WoL functionality through the 802.1x with the Wake On LAN feature, which lets you perform automated tasks, such as overnight software upgrades or system backups.
The 802.1x specification supports WoL with the definition of unidirectional controlled ports, which can be configured to allow only outbound frames to be transmitted in the pre-authenticated state. You can send a WoL magic packet to a host connected to a unidirectional controlled port in the sleep standby (S2) state to wake it to a normal operational state.
If the supplicant on the workstation is configured to automatically authenticate when prompted, it can then authenticate to the switch port. If the authentication is successful, the switch applies any policies received from the RADIUS server and puts the port into a normal forwarding state.
5 Is the host MAC currently sent back to a RADIUS server?
Answer: Yes, the MAC address of the supplicant is returned to the RADIUS server in the Calling Line Station Identifier (CLSID) RADIUS attribute. The supplicant MAC address can be used to make policy decisions, such as restricting access (even to otherwise validated identities), or logged for auditing purposes.
6 What are my options for authenticating printers with 802.1x?
Answer: One option is running with port security instead of 802.1x. Another option is to assign unauthenticated printers to the guest VLAN.
7 What are the options when clients go into hibernation, Wake on LAN (WoL), or sleep mode?
Answer: When a host is in hibernation or sleep mode, the network interface tends to be inactive. For WoL to work, the client platform must support the WoL specification for standby mode and be able to listen for the WoL magic packet while in standby. Check the host platform documentation to determine if this feature is supported. Cisco provides WoL support on the authenticator with the 802.1x with Wake on LAN feature.
8 During normal 802.1x operation, if a supplicant responds with an incorrect login or password, does it fail authentication and get placed into a guest VLAN?
Answer: The port is placed in the Held state as a result of unsuccessful 802.1x authentication. The port is not placed into a guest VLAN in this case.
9 What is the Held state, as indicated on my switch when I enter the show port dot1x or show dot1x commands?
Answer: After the first failed authentication, the supplicant triggers a quiet period on the authenticator. The quiet period is a configurable interval that is set to 60 seconds, by default. During the quiet period, the authenticator, which controls the ports on the switch, ignores all frames from the supplicant on that port. Ideally, the quiet period is the same on the supplicant and authenticator and neither communicates until the quiet period is over. This can help prevent brute force authentication attacks or denial of service (DoS) attacks on a switch or WLAN access point.
10 During the quiet period, is the host allowed on the network?
Answer: No.
11 With 802.1x, can I restrict a specific port to a single MAC address?
Answer: Yes; this is known as single-host mode, which is the default on Cisco devices.
12 How does a RADIUS server know if a user is still connected after authentication?
Answer: This requires RADIUS accounting support on the switch.
13 Does a Cisco Catalyst switch support 802.1x user authentication with a VLAN assignment and MAC address authentication at the same time?
Answer: Cisco Catalyst switches support 802.1x user authentication. MAC address authentication is more of an authorization issue. If a switch port is configured to run as an 802.1x authenticator, then the switch port is logically down before authentication, so the MAC address is not known. Successful 802.1x authentication has to happen for the MAC address to be learned. To make this work better, run port security in addition to 802.1x.
14 In an environment with a large number of active VLANs using Dynamic VLAN assignment, would all the switches have to be set up with VLAN information for every VLAN they handle?
Answer: They would not, because VLAN assignment can be performed by name. This means that the switches do not need to be manually configured to trunk every individual VLAN into every area of the network. You just need to configure the VLAN name itself, which can be any unique alphanumeric value within a specific VTP domain.