I enabled port authentication on our customer switch with the radius. Port authentication works fine but currently I have two issues which I have to find a solution for that:
Issue 1:
However I defined a secondary radius server, when the primary server is disconnected from the network the switch does not sent an authentication request to the secondary radius server.
Issue 2:
Port authentication works just one time for a client which connected to the phone. It doesn't matter the authentication is successful or not. Detail:
When authentication is successful it is possible to disconnect the authorized client from the phones's LAN port and connect another client to it. In this case the port remain authorized for the old MAC and for new MAC address the switch does not send any new port authentication request.
When the MAC authentication is also unsuccessful, the switch does not send any new port authentication request and the port remain not authorized.
my configuration:
radius server host 10.11.11.169 retry 1 timeout 10
radius server host key "xxxxxx"
radius server host 10.11.10.250 secondary
!
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
no eapol multihost non-eap-pwd-fmt
eapol multihost non-eap-pwd-fmt mac-addr
eapol enable
!
interface fastEthernet 1-24
eapol status auto
eapol multihost allow-non-eap-enable
eapol multihost eap-mac-max 2
eapol multihost non-eap-mac-max 2
eapol multihost radius-non-eap-enable
eapol multihost enable
exit
!
Do you have any tip or suggestion?
Thanks.