Troubleshooting

Unusual Network Activity

The authorized MAC address on a port that is configured for both 802.1x and port security either changes or is re-acquired after execution of aaa port-access authenticator < port-list > initialize. If the port is force-authorized with aaa port-access authenticator <port-list> control authorized command and port security is enabled on the port, then executing initialize causes the port to clear the learned address and learn a new address from the first packet it receives after you execute initialize.

A trunked port configured for 802.1x is blocked. If you are using RADIUS authentication and the RADIUS server specifies a VLAN for the port, the switch allows authentication, but blocks the port. To eliminate this prob­ lem, either remove the port from the trunk or reconfigure the RADIUS server to avoid specifying a VLAN.

Radius-Related Problems

The switch does not receive a response to RADIUS authentication

requests. In this case, the switch will attempt authentication using the secondary method configured for the type of access you are using (console, Telnet, or SSH).

There can be several reasons for not receiving a response to an authentication request. Do the following:

Use ping to ensure that the switch has access to the configured RADIUS server.

Verify that the switch is using the correct encryption key for the desig­ nated server.

Verify that the switch has the correct IP address for the RADIUS server.

Ensure that the radius-server timeout period is long enough for network conditions.

Verify that the switch is using the same UDP port number as the server.

RADIUS server fails to respond to a request for service, even though

the server’s IP address is correctly configured in the switch. Use show radius to verify that the encryption key the switch is using is correct for the server being contacted. If the switch has only a global key configured, then it either must match the server key or you must configure a server-specific key. If the switch already has a server-specific key assigned to the server’s IP address, then it overrides the global key and must match the server key.

C-13