https://community.extremenetworks.com/t5/faqs/clients-on-non-authenticating-switch-are-asked-to-authenticate/m-p/45805#M351 Article ID: 5882 <BR /> <BR /> <B>Protocols/Features</B><BR /> Radius<BR /> UPN <BR /> <BR /> <B>Standards</B><BR /> 802.1x <BR /> <BR /> <B>Cause</B><BR /> When this occurs, typically there is a core switch within the network data path that has been configured for multiauth (<A href="http://bit.ly/1o2OfSP" target="_blank" rel="nofollow noreferrer noopener">5468</A>), for the purpose of authenticating network users hanging off of edge switches that have no authentication capability but do support "EAP Pass-thru". <BR /> <BR /> If that is not the case and it is thus a mystery why one or more "upstream" network users are being asked for authentication credentials, examine the configuration of all switches which have been configured for authentication. <BR /> <BR /> Their InterSwitch Link ports (and Radius Server ports) must be set for Forced Authentication ('set dot1x auth-config authcontrolled-portcontrol forced-auth &lt;<I>port#</I>&gt;'). Otherwise, if the non-authenticating switches support "EAP Pass-thru" then users on those switches will in error receive EAPOL Identity Requests (<A href="http://bit.ly/19LXsqz" target="_blank" rel="nofollow noreferrer noopener">5532</A>) from the incorrectly configured authenticating switch and will respond accordingly. <BR /> <BR /> <B>Solution</B><BR /> On authentication-configured switches, ensure that only ports which service authenticating users are set for authentication. Fri, 22 Nov 2013 08:05:00 GMT FAQ_User 2013-11-22T08:05:00Z https://community.extremenetworks.com/t5/faqs/clients-on-non-authenticating-switch-are-asked-to-authenticate/m-p/45805#M351 Article ID: 5882 <BR /> <BR /> <B>Protocols/Features</B><BR /> Radius<BR /> UPN <BR /> <BR /> <B>Standards</B><BR /> 802.1x <BR /> <BR /> <B>Cause</B><BR /> When this occurs, typically there is a core switch within the network data path that has been configured for multiauth (<A href="http://bit.ly/1o2OfSP" target="_blank" rel="nofollow noreferrer noopener">5468</A>), for the purpose of authenticating network users hanging off of edge switches that have no authentication capability but do support "EAP Pass-thru". <BR /> <BR /> If that is not the case and it is thus a mystery why one or more "upstream" network users are being asked for authentication credentials, examine the configuration of all switches which have been configured for authentication. <BR /> <BR /> Their InterSwitch Link ports (and Radius Server ports) must be set for Forced Authentication ('set dot1x auth-config authcontrolled-portcontrol forced-auth &lt;<I>port#</I>&gt;'). Otherwise, if the non-authenticating switches support "EAP Pass-thru" then users on those switches will in error receive EAPOL Identity Requests (<A href="http://bit.ly/19LXsqz" target="_blank" rel="nofollow noreferrer noopener">5532</A>) from the incorrectly configured authenticating switch and will respond accordingly. <BR /> <BR /> <B>Solution</B><BR /> On authentication-configured switches, ensure that only ports which service authenticating users are set for authentication. Fri, 22 Nov 2013 08:05:00 GMT https://community.extremenetworks.com/t5/faqs/clients-on-non-authenticating-switch-are-asked-to-authenticate/m-p/45805#M351 FAQ_User 2013-11-22T08:05:00Z