Clients on non-Authenticating Switch are asked to Authenticate

  • 1.  Clients on non-Authenticating Switch are asked to Authenticate

    Posted 11-22-2013 00:05
    Article ID: 5882



    When this occurs, typically there is a core switch within the network data path that has been configured for multiauth (5468), for the purpose of authenticating network users hanging off of edge switches that have no authentication capability but do support "EAP Pass-thru".

    If that is not the case and it is thus a mystery why one or more "upstream" network users are being asked for authentication credentials, examine the configuration of all switches which have been configured for authentication.

    Their InterSwitch Link ports (and Radius Server ports) must be set for Forced Authentication ('set dot1x auth-config authcontrolled-portcontrol forced-auth <port#>'). Otherwise, if the non-authenticating switches support "EAP Pass-thru" then users on those switches will in error receive EAPOL Identity Requests (5532) from the incorrectly configured authenticating switch and will respond accordingly.

    On authentication-configured switches, ensure that only ports which service authenticating users are set for authentication.