C-11
Troubleshooting
Unusual Network Activity
Port-Based Access Control (802.1X)-Related Problems
Note To list the 802.1X port-access Event Log messages stored on the switch, use
show log 802.
See also “Radius-Related Problems” on page C-14.
The switch does not receive a response to RADIUS authentication
requests. In this case, the switch will attempt authentication using the
secondary method configured for the type of access you are using (console,
Telnet, or SSH).
There can be several reasons for not receiving a response to an authentication
request. Do the following:
■ Use ping to ensure that the switch has access to the configured RADIUS
servers.
■ Verify that the switch is using the correct encryption key (RADIUS secret
key) for each server.
■ Verify that the switch has the correct IP address for each RADIUS server.
■ Ensure that the radius-server timeout period is long enough for network
conditions.
The switch does not authenticate a client even though the RADIUS
server is properly configured and providing a response to the
authentication request. If the RADIUS server configuration for authenti-
cating the client includes a VLAN assignment, ensure that the VLAN exists as
a static VLAN on the switch. See “How 802.1X Authentication Affects VLAN
Operation” in the Access Security Guide for your switch.
During RADIUS-authenticated client sessions, access to a VLAN on the
port used for the client sessions is lost. If the affected VLAN is config-
ured as untagged on the port, it may be temporarily blocked on that port during
an 802.1X session. This is because the switch has temporarily assigned another
VLAN as untagged on the port to support the client access, as specified in the
response from the RADIUS server. See “How 802.1X Authentication Affects
VLAN Operation” in the Access Security Guide for your switch.