Clients on non-Authenticating Switch are asked to Authenticate

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 5882 

Protocols/Features
Radius
UPN 

Standards
802.1x 

Cause
When this occurs, typically there is a core switch within the network data path that has been configured for multiauth (5468), for the purpose of authenticating network users hanging off of edge switches that have no authentication capability but do support "EAP Pass-thru". 

If that is not the case and it is thus a mystery why one or more "upstream" network users are being asked for authentication credentials, examine the configuration of all switches which have been configured for authentication. 

Their InterSwitch Link ports (and Radius Server ports) must be set for Forced Authentication ('set dot1x auth-config authcontrolled-portcontrol forced-auth <port#>'). Otherwise, if the non-authenticating switches support "EAP Pass-thru" then users on those switches will in error receive EAPOL Identity Requests (5532) from the incorrectly configured authenticating switch and will respond accordingly. 

Solution
On authentication-configured switches, ensure that only ports which service authenticating users are set for authentication.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.