Dot1x authentication takes a long time and is interrupted after a few minutes of successful authentication

PC——IP Phone —— S5570 —— Core sw —— Radius

Users of IP Phone + PC connected to the interface cannot work fine, a lot of re-authentication to the server (Clearpass) happens during the authentication phase, and it takes a lot of time to get authenticated. A few minutes after successful authentication, users report cuts in the communication.

1. According to the Dot1x debug log, the same error: Mismatched identifier appeared four times.

2. Check that the switch S5570 dot1x password is consistent with Clearpass and the encryption method is md5.

3. Check access user information, account name and password.

4. Undo dot1x handshake on the port connected to the IP Phone, and the disconnection will no longer occur; dot1x handshake is enabled by default, and if the device does not receive a response message from the client many times in a row, will be cut user connect.

5. When the user connects, both IP Phone and the PC should be authenticated, but when viewing the port dot1x session (display dot1x sessions interface g1/0/3), it is found that only the first device connected is authenticated. As a result, the PC is connected earlier than the IP phone.

6. Change the access mode of the port to portbased on site, so that as long as the first user under the port is successfully authenticated, other access users can use network resources. Similarly, when the first user goes offline, other users will also Denied access to the network. On-site requirements need to change dot1x port-method to macbased.

7. The PC appear re-authenticates every 30"s (not IP Phone, only PC) issue. PC can work normally but customer wants to re-authenticate every 8 hours instead of re-authentication every 30s, which causes Clearpass to be full of PCs authentication log messages.

8. 30s is the period of multicast triggering on the device port. Turn off the multicast trigger on the port and turn on the unicast trigger to solve the problem.

1. undo dot1x handshake under the interface to connect to the IP Phone and switch.

2. change dot1x port-method to macbased.

3. Turn off the multicast trigger on the port and turn on the unicast trigger