Article ID: 5882
Protocols/Features
Radius
UPN
Standards
802.1x
Cause
When this occurs, typically there is a core switch within the network data path that has been configured for multiauth (
5468), for the purpose of authenticating network users hanging off of edge switches that have no authentication capability but do support "EAP Pass-thru".
If that is not the case and it is thus a mystery why one or more "upstream" network users are being asked for authentication credentials, examine the configuration of all switches which have been configured for authentication.
Their InterSwitch Link ports (and Radius Server ports) must be set for Forced Authentication ('set dot1x auth-config authcontrolled-portcontrol forced-auth <
port#>'). Otherwise, if the non-authenticating switches support "EAP Pass-thru" then users on those switches will in error receive EAPOL Identity Requests (
5532) from the incorrectly configured authenticating switch and will respond accordingly.
Solution
On authentication-configured switches, ensure that only ports which service authenticating users are set for authentication.