Hello community,
we are in the process of securing our wired networks with 802.1x and Windows NPS.
Unfortunately sometimes there are not enough outlets. We have some 2530-8G switches for these cases.
These are then connected to 2930F switches in our network closets.
Here is the relevant config from our 2930F:
radius-server host 192.168.2.184
radius-server host 192.168.2.185
aaa authentication port-access eap-radius
aaa authentication mac-based peap-mschapv2
aaa port-access gvrp-vlans
aaa port-access authenticator active
interface 1/1
unknown-vlans disable
qos trust dscp
untagged vlan 2222
aaa port-access authenticator
aaa port-access authenticator reauth-period 3600
aaa port-access authenticator client-limit 8
aaa port-access mac-based
aaa port-access mac-based addr-limit 8
aaa port-access mac-based reauth-period 3600
aaa port-access auth-order authenticator mac-based
aaa port-access auth-priority authenticator mac-based
exit
And the 2530:
interface 9
qos trust dscp
tagged vlan 10,103
aaa port-access supplicant
aaa port-access supplicant identity "edge-swi-09" encrypted-secret xxx
exit
When activated the 2930F tries to authenticate the clients on port 1/1 but sees only MAC addresses, which fails.
If I remove the client limit from port 1/1 and make it port-based authentication everything works and the 2530 gets authenticated.
If I connect a CX-6000 12G switch with a similar configuration authentication in user mode works.
Is this expected behavior? Is there something I'm missing?
Regards,
Tobias