Procedure 7 - Validate Endpoint-to-NAD Communication

Step 1
For Catalyst switches, enable 802.1X debugging by running the following in exec mode:
  • debug dot1x
Step 2
Validate that client is sending EAP over LAN (EAPoL) Start message by checking the debug log.

Step 3
For devices using MAC Authentication Bypass (MAB), validate that the device is sending traffic.

If the interface is configured with the settings for order and timers that are recommended for Cisco TrustSec 2.1, it will take 30 seconds before the switch will accept and use the traffic from the endpoint to send a MAB request. This is typically not an issue for chatty devices, such as Windows PC devices; however, some printers may take a while to go through the MAB. If you are experiencing long delays to successfully MAB a device, like a printer, consider running the interface-specific command authentication control-direction in to allow traffic from the network to the endpoint prior to authentication, which could accelerate the MAB process.