During my lab for Cisco 802.1X wired network authentication, I realized that a switch port LED on my 3750G is amber when only a Cisco IP Phone is connected. The IP Phone does (for now) a simple mab (MAC Authentication Bypass), the downstream device (laptop) does dot1x authentication.
I started with some basic 802.1X configuration on the Cisco switch to figure out how dot1x and mab is behaving in a typical office scenario where IP Phones with downstream clients (laptops) are connected to a switch port. My configuration looks like this:
Typically a user removes the laptop connected to the IP Phone’s Gigabit Ethernet port, goes somewhere else and - boom - the LED is amber which indicates some type of network issue on this port. However the IP Phone is authenticated with mab and works perfectly.
The show authentication session interface gi1/0/2 command displays that everything looks fine. But of course as network engineer I want to have only greenLED on the switches to see that everything is working fine ;) This is the output of the show authentication session command:
I stumbled upon this excellent article CiscoZine: 802.1X Deployment Guide: Interface configuration where authentication control-direction in is set on the interface. This line is typically used for Wake-On-LAN. From Cisco’s 802.1X documentation:
both sets the port as bidirectional which means the port cannot receive packets from or send packets to the host (This is the default)
in sets the port as unidirectional which means the port can send packets to host but cannot receive packets from the host
At the moment (it’s anyway too late) I have no idea why this setting for WOL is impacting the LED on the switch port in relation to 802.1X and IP phone without downstream client. But it does the trick ;)
My switch port configuration now looks like this:
Eventually this might be helpful when encountering the same issue.