One of the most useful tools for debugging 802.1X failures on the authenticator is the Switched Port Analyzer (SPAN).

SPAN allows you to mirror all the EAP traffic sent and received on one port to a different port where it can be analyzed by a sniffer. By sniffing the actual EAP packets that are exchanged between the authenticator and the client, you can diagnose some failures that are not visible from the Cisco ISE.

To configure a Cisco Catalyst 3000 Series Switch to mirror all the traffic from one port (the source port) to another (the destination port), use the following Cisco IOS commands in configuration mode:

• (config)# monitor session 1 source interface Gigabit 0/1
• (config)# monitor session 1 destination interface Gigabit 0/2 encapsulation replicate

To configure a Cisco Catalyst 4500 Series Switch to mirror all the traffic from one port (the source port) to another (the destination port), use the following Cisco IOS commands in configuration mode:

• (config)# monitor session 1 source interface Gigabit 1/1
• (config)# monitor session 1 destination interface Gigabit 1/2

No special configuration options are required to use SPAN on Layer 2 frames on the Cisco Catalyst 4500 Series switch, since the Cisco Catalyst 4500 monitors all Layer 2 frames with the default SPAN configuration shown above.